vCluster’s Isolated Mode Brings More Security To Kubernetes

Guest: Lukas Gentele (LinkedIn)
Company: Loft Labs (Twitter)
Show: Let’s Talk
Keywords: vcluster, Virtual Cluster

vcluster, the first certified Kubernetes distribution, creates virtual Kubernetes clusters that can be spun up in isolated namespaces and without admin privileges to the underlying Kubernetes cluster. It enables developers to spin up virtual clusters rather than real ones, helping them create lightweight clusters that run on top of other Kubernetes clusters in a matter of seconds. The lightweight clusters can then be disposed of after the development task or CI/CD pipeline is finished with. vcluster has recently added a new feature called Isolated Mode.

In this episode of TFiR Let’s Talk, Swapnil Bhartiya sat down with Lukas Gentele, Co-Founder and CEO of Loft Labs, to discuss vcluster’s new feature, Isolated Mode, and how it is benefiting developers. Gentele says, “It essentially takes you from isolated virtual clusters or only logically isolated virtual clusters to much, much stricter isolated virtual clusters. Instead of spending days on that step, you essentially get there in a second by adding an additional flag.”

Initially with vcluster, developers could spin up virtual clusters but the responsibility of ensuring they were isolated lay with the developers. Isolated Mode was the accumulation of small feature requests by developers such as making network policies and resource limitations easier for virtual clusters. vcluster helps developers who do not have knowledge of security or are not familiar with the internals of vcluster. By getting a list of five or six security measures that can be implemented straight away, it has made the process simpler.

Gentele explains security continues to be an important consideration, which is why the Pod sSecurity Standards are now enforced as default. These security standards help with admission control as well as additional custom admission control on the vcluster sync side too. Limit ranges where you define things like CPU and memory limits for the pods also play an important role, enabling developers to define details for them automatically. Resource quote then limits the resources based on the limit ranges.

The other component is network isolation which enables developers to spin up a hundred virtual clusters inside the same EKS cluster and launching pods in there. The pods and containers run inside the underlying EKS cluster making it possible for network connectivity between the containers. When you put the network policies in place, you are able to restrict the network traffic so that if one of the virtual clusters is compromised, it cannot reach another part through internal networking.

vcluster is gaining momentum and has already reached some notable milestones including over 1,300 Github stars and a million Docker polls showing that it is being used heavily in a variety of Kubernetes clusters.

About Lukas Gentele: Lukas Gentele is the CEO of Loft Labs, Inc., a startup that builds open-source developer tooling for Kubernetes and helps companies with their transition from traditional to cloud-native software development. Before moving to San Francisco to start Loft Labs, Lukas founded a Kubernetes-focused consulting company in his home country Germany. He has previously spoken at conferences such as KubeCon, ContainerConf and Continuous Lifecycle, writes articles for journals such as heise and Better Programming, and likes to share his experiences at meetups.

About Loft Labs: Loft Labs was founded in 2019 to create open-source developer tooling and virtual cluster technology for Kubernetes, with the goal to increase developer productivity and to help engineers gain secure but unimpeded access to cloud infrastructure.

The summary of the show is written by Emily Nicholls.

Here is the unedited transcript of the show:

Swapnil Bhartiya: Hi, this is your host Swapnil Bhartiya and welcome to TFiR newsroom. Open source project vcluster has added a big new feature, Isolated Mode, for virtual Kubernetes clusters. To deep dive into this announcement, today we have with us, once again, Lukas Gentele, co-founder and CEO of Loft Labs. Lukas, it’s great to have you on the show.

Lukas Gentele: Yeah, great to be here.

Swapnil Bhartiya: First of all, remind us what vcluster is.

Lukas Gentele: Yeah, vcluster is the first certified Kubernetes distribution that allows you to spin out virtual clusters instead of real clusters. It’s pretty exciting because you can essentially create these very lightweight clusters that run on top of other Kubernetes clusters. We’re starting to support more and more distributions. It’s very, very flexible on how you spin them up and they’re super fast. You can literally spin these virtual clusters up in three or four seconds, and you can also dispose of them again after you’re done with your development task or your CICD pipeline, right? They’re very, very flexible. They’re not as heavyweight as real Kubernetes clusters.

Swapnil Bhartiya: Excellent. We have been covering vclusters since day one when it was initially released. Can you look back and tell us how it has been received by the community? Last time, we had a very good discussion because there is a lot of interest, even from AWS folks and other folks. So let’s talk about how it has been embraced, adopted, and what kind of interest are you seeing?

Lukas Gentele: Yeah. There’s a lot of interest in vcluster. I think since I gave that KubeCon talk last October in LA, that was definitely kind of the moment where a lot of people were like, “Oh, vcluster, interesting.” I think a lot of people started talking either in person at conferences or attending virtually or seeing it on YouTube later on. And I think that really kick started an additional movement in the community.

I think one thing that we saw after talking is people started experimenting with more and more use cases, even folks putting virtual clusters in production. Yeah, we’ve seen a lot of adoption of vcluster in this community. I think one big sign is definitely GitHub stars, we have a 1300 at this point. But then also, if you look at the image posts on Docker Hub, we are actually going to hit a million Docker polls probably in a couple of days from now and that’s super exciting. I think that definitely shows that vcluster is in heavy use out there in a variety of Kubernetes clusters and that’s just super exciting to see.

Swapnil Bhartiya: You just released the latest update with a big new feature, Isolated Mode. Tell us what it is.

Lukas Gentele: A set of features being essentially around customizing virtual cluster’s behavior. And we’ve added a lot of things there, including a plugin system that actually lets you write custom plugins. We’re kind of thinking about establishing something like a way to share these plugins as well in the future to make it easier for folks to kind of have a central repository where you can upload plugins and other people can download them and consume them. That is definitely an exciting topic. And the other topic is, like you mentioned, AWS contributed EKS distribution. We worked on K0s distribution. In the beginning, we just had K3s and then we added support for upstream Kubernetes. And that’s really great to see that we have these more opinionated vendor-provided distributions inside vcluster as well. That’s definitely a really big step getting all these different distros available and vcluster.

Swapnil Bhartiya: And you did touch upon what kind of features they’re asking for. Can you give a reason why you particularly chose to release these features at this point in time?

Lukas Gentele: Yeah. Sometimes it’s hard to decide which feature to implement and how to prioritize things, in a way as well. Right? I think Isolated Mode is very important because it affects a large number of people. We saw different little feature requests like, “Hey, can you make network policies easier for virtual clusters?” Or can we make resource limitations for users easier. Right? And those are all kinds of sub-tasks that lead to something like an Isolated Mode. Of course, there could have been other ways to implement this as individual little features, but we were like, “Okay, what should the initial experience of vcluster look like?” And right now, before Isolated Mode, it was essentially, “Hey, you can spin up virtual clusters, which is great, but then you need to make sure that they’re isolated and that’s kind of your responsibility afterwards.” Right? We don’t help you do that.

Use the Kubernetes tooling, use a whole lot of other tools available in the space and plug them in vcluster and combine them with vcluster to make this work. But a lot of people struggle to do that because, a, security is a hard topic, and b, you never know what you actually need. Right? You have to think about a lot of things and you may not be familiar with the internals of vcluster as well as we are, as project maintainers. So we were like, “Can’t we change that and make it a default.” And I think this kind of attitude of secure by default is a very, very kind of strong selling point for any product. And vcluster is probably going to be very, very beneficial, especially because it makes those first initial steps much, much easier. You may have security concerns from the start. Now you look at vcluster and you see, “Oh, there’s Isolated Mode. What does it offer me?” And you get this list of five or six security measures that it implements immediately.

Swapnil Bhartiya: Security is becoming a big concern. We are hearing a lot about that so there’s a renewed interest in security, though security was already a topic in the cloud work. As you said, there are five or six things you would get when it comes to security. Can you list them out? What are the clear benefits folks get with this Isolated Mode?

Lukas Gentele: Yeah, there are some smaller things, but I think there are four very important parts of it. The one is Pod security standards. It’s a Kubernetes construct that we’re enforcing by default now. There are different levels of these security standards that you could choose from that also includes a little bit of customer admission control that we’re adding. Pod security standards are essentially admission control. And we’re adding a little bit of additional custom control on the admission control on that as well, on the vcluster sync side to make it even easier. Then resource quotas are another part in that place while with the third thing, which is limit-ranges. Limit range is essentially that you define, okay, let’s say the user doesn’t provide any CPU and memory limits for their pods. You can essentially define defaults for them automatically. And then resource quota is the thing that actually limits your resources. You first need to specify resources in order to be able to limit them. So those two things play kind of nicely into each other.

And then the fourth component is network isolation, network policies. That’s the last step that really enables you to have… Let’s say you spin up a hundred virtual clusters inside the same EKS cluster and people launch pods in there. In the end, these pods and these containers actually run inside the underlying cluster. They’re still in that EKS cluster. So there’s network connectivity between these containers possible. And when you put these network policies in place, you can restrict that network traffic. So that you now have a hundred clusters, all the containers are launched in the underlying EKS cluster but they cannot communicate with each other via network traffic. That’s a really important part because otherwise if one of your virtual clusters is compromised, they’d essentially be able to reach any other part through internal networking. And with network policies, you’re definitely locking the virtual clusters in from a network perspective. It’s definitely a very, very important part.

Swapnil Bhartiya: How does Isolated Mode reduce the work required by administrators to isolate tenants in multi-tenant Kubernetes clusters?

Lukas Gentele: Yeah, I think it essentially takes you from isolated virtual clusters or only logically isolated virtual clusters to much, much stricter isolated virtual clusters. Instead of spending days on that step, you essentially get there in a second by adding an additional flag. We allow you to customize Isolated Mode as well. So you can essentially say, “Hey, the standards that you’re defining in this limit range don’t work for me. I want different CPU and memory default that should be applied to pods.” Right? It is still very, very customizable. So if you need to dive deeper, if you’re running into any issues, because of the isolation you need to be a little bit more generous with limits, for example. That is still possible, but you get there much, much faster. It’s much easier to start from a well written template rather than having to come up with everything yourself, right? You literally have to first start with, “What do I even need?” Right? And having that template and having a starting point is really, really helpful to get you up to speed very, very quickly.

Swapnil Bhartiya: What’s next in the pipeline for vcluster?

Lukas Gentele: We’re definitely working on improving the plugin experience. That is an important part because we do see the plugin ecosystem as a very important one. Because we get a lot of requests like, “Hey, I want this to be synced.” Or “I want certain annotations to be changed.” Or, “certain annotations be kept.” Right? I have so many, even conflicting, requests from users because everybody has their own use case. And I think having that plugin system lets us… Otherwise we’d be deciding, we go with user A or user B? Right? Sometimes they are conflicting and with the plugin system, we essentially let everybody customize their own world. Right? To tailor to their use case. So it’s very important that the plugin system is super easy to use and very adaptable, and has a lot of capabilities. I think that is a super, super important part for us going forward.

And the second one is adding more distributions. Again, we have Kubernetes right now. We have K0s. We have EKS. And we are thinking about moving forward with other distributions. I think that is a very, very important part as well. There’s open source distributions like Ranchers, RKE. I guess we already have K3s so Rancher’s covered, in part I guess, but there’s so much more we could add in terms of different Kubernetes distros.

Swapnil Bhartiya: If you look at vcluster, what role do you think it’s playing in the much bigger Kubernetes space?

Lukas Gentele: I think vcluster adds another valid option for multi-tenancy, and for isolating, and kind of slicing and dicing these Kubernetes clusters. It also makes clusters a lot more ephemeral. You start using clusters or virtual clusters, right, as a kettle. It’s similar to AWS making virtual machines a commodity that you can spin up in a couple of minutes, versus having to put in physical service in a RackN. I think with heavyweight Kubernetes clusters, they pretty much represent these heavyweight servers that you have to manually put in the RackN and plugin, right? The electricity in the networking and stuff like that. Versus vcluster lets you essentially run a single command, spin things up in a second, super, super lightweight. I think that will create a lot of velocity in the community space and it will hopefully accelerate innovation in the space even more.

Swapnil Bhartiya: Lukas, thank you so much for taking time out today. And of course, talk about vcluster, more importantly, the role it’s playing in the larger community space. Thanks for sharing those insights. And as usual, I would love to have you back on the show. Thank you.

Lukas Gentele: Yeah, it was great chatting with you, Swapnil. I hope I’ll get to see you at KubeCon or at least in the virtual scene around KubeCon. Definitely looking forward to that one as well. Thank you so much.

You may also like

Kubernetes is not for the weakhearted, so we are trying to simplify it | Sudeep Goswami

Salt Security sheds light on security risks of LLMs

You need a robust cyber materiality program | CISO Insights E2

Akamai offers NVIDIA RTX 4000 Ada GPUs for gaming and media

Are VMware customers looking at alternatives post-Broadcom acquisition?

Crawl-Walk-Run is the right strategy to build GenAI applications: Roman Kharkovski