Re: [kubernetes-users] Multiple vs Single K8S Clusters
Thanks Paul, that's interesting. Anyone doing the opposite - i.e. single cluster for all? On Thursday, 17 May 2018 09:01:42 UTC+1, Paul Ingles wrote: > > We run multiple clusters for the reasons you highlight: cluster-local > failures are more readily mitigated. We’ve had networking issues affect one > cluster but not the others. > > We don’t separate clusters along env lines, instead just named after > colours (currently) and state the order in which they’ll receive cluster > software upgrades. > > Product teams (the users of our clusters) can choose to run their software > how they like. Most teams deploy to a single cluster and that’s good > enough. For the more public-facing teams that have more money at stake > we’ve got some tooling to help them operate against multiple clusters > (we’re watching the progress of Federation but we’re in AWS so have had to > tie stuff together ourselves). > > On Thu, 17 May 2018 at 08:55, Prys Williams > wrote: > >> Hi all, >> I'm looking for broad advice on cluster architecture, specifically around >> the pros and cons of having multiple clusters vs single cluster for Prod >> workloads. Our approach so far has been to use a single cluster with RBAC, >> namespaces, network policies etc all being used to segregate services from >> each other. We're facing arguments however to limit blast-radius of cluster >> failure or compromise and to deploy across multiple Production clusters. Is >> there any best-practice reference architecture in this space that might >> point one way or the other? >> >> Many thanks >> >> Prys >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Kubernetes user discussion and Q&A" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to kubernetes-use...@googlegroups.com . >> To post to this group, send email to kubernet...@googlegroups.com >> . >> Visit this group at https://groups.google.com/group/kubernetes-users. >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
[kubernetes-users] Multiple vs Single K8S Clusters
Hi all, I'm looking for broad advice on cluster architecture, specifically around the pros and cons of having multiple clusters vs single cluster for Prod workloads. Our approach so far has been to use a single cluster with RBAC, namespaces, network policies etc all being used to segregate services from each other. We're facing arguments however to limit blast-radius of cluster failure or compromise and to deploy across multiple Production clusters. Is there any best-practice reference architecture in this space that might point one way or the other? Many thanks Prys -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
[kubernetes-users] Re: Network Policies in v1.7 not working
Hi Giancarlo, Thanks for replying. In terms of architecture, I'm using Kops to deploy a single master / two worker nodes (all v.1.7.2) across 2 x AWS AZs (eu-west-1), This is purely a test environment which I have torn down and re-created specifying various network providers, including weave, calico and canal. There are no production pods deployed, so I'm only looking at running the test pods described in the Kubernetes documentation referenced in the original post. Thanks to a private-reply suggestion I've re-created the cluster specifying the kube-router CNI plug-in, and this time network policies work as described in the documentation. I think what's happening here is the semantics for stating network policies have changed in v.1.7 of kubernetes but the version of CNI plug-ins deployed by Kops are not yet in-step with implementing default-deny, except through annotations (see https://github.com/weaveworks/weave/issues/3105 for a better explanation of what I mean). The answer then is to upgrade CNI plug-ins as and when support for 1.7 netpol semantics is implemented, or build from the off with plug-ins that already support it! On Wednesday, 13 September 2017 07:28:19 UTC+1, Giancarlo Rubio wrote: > > What network provider are you using? Please provide more info about your > scenario like architecture, your networkpolicy, pods, etc.. > > In case you're using calico, check your daemonset > calico-policy-controller. Start the daemonset with log level "verbose" and > read the logs. > > On Tuesday, 12 September 2017 15:25:24 UTC+2, Prys Williams wrote: >> >> I'm building an AWS-hosted Kubernetes cluster using kops (kops version >> 1.7.0). Kops creates a kubernetes cluster v1.7.2 and I have kubectl v1.7.4. >> >> I'm following Kubernetes documentation to declare network policies (see >> https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/ >> but similar step-by-step given at >> https://github.com/ahmetb/kubernetes-networkpolicy-tutorial/blob/master/01-deny-all-traffic-to-an-application.md). >> >> However the network policies to deny access to pods do not have any affect >> and I continue to be able to access from other pods. I have tried this >> specifying various kops networking options (e.g. weave / calico / canal >> etc) but network policy does not seem to be applied with any of them. >> >> Is anyone able to shed any light on this, please? >> >> >> >> >> -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
[kubernetes-users] Network Policies in v1.7 not working
I'm building an AWS-hosted Kubernetes cluster using kops (kops version 1.7.0). Kops creates a kubernetes cluster v1.7.2 and I have kubectl v1.7.4. I'm following Kubernetes documentation to declare network policies (see https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/ but similar step-by-step given at https://github.com/ahmetb/kubernetes-networkpolicy-tutorial/blob/master/01-deny-all-traffic-to-an-application.md). However the network policies to deny access to pods do not have any affect and I continue to be able to access from other pods. I have tried this specifying various kops networking options (e.g. weave / calico / canal etc) but network policy does not seem to be applied with any of them. Is anyone able to shed any light on this, please? -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
