Deploy Enterprise-Grade Kubernetes with VMware Pivotal Container Service (PKS)
VMware and Pivotal are excited to announce that Pivotal Container Service (PKS) will be initially available in mid-December for customers seeking an enterprise-grade Kubernetes solution. PKS is a purpose-built product to operationalise Kubernetes for enterprise and service providers, it significantly simplifies the deployment and operations of Kubernetes clusters. PKS will be able to be deployed in a datacentre on vSphere, as well as on Google Cloud Platform, and was recently certified by Kubernetes Software Conformance Certification program of the Cloud Native Computing Foundation.
Product highlights will include:
- The latest stable open-source version of Kubernetes – The initial release will feature Kubernetes 1.8. Developers will have full access to the Kubernetes API, with no proprietary extensions.
- Advanced container networking and security – Pod-level container networking by NSX-T with micro-segmentation, load balancing and security policies.
- Secure container registry – Help secure your container workloads through features such as vulnerability scanning, image signing and auditing
- Instant provisioning – Developers will be able to quickly create Kubernetes clusters on-demand
- High Availability – PKS is built with high availability, and the Kubernetes clusters will be monitored and managed from infrastructure to applications for high availability
- Access to Google Cloud Platform (GCP) Services – Developers will be able to easily access GCP services through integrated GCP service broker
- Persistent Storage – PKS will enable you to deploy Kubernetes clusters for both stateless and stateful applications.
Figure 1: Pivotal Container Service
Built for multi-cloud environments with native Kubernetes APIs, PKS is developed off the mainline Kubernetes release with constant compatibility with Google Kubernetes Engine (GKE) so developers have access to the latest stable Kubernetes release. PKS will solve day-one (deployment) and day-two (operations) challenges by leveraging Cloud Foundry Container Runtime (CFCR), formerly known as Kubernetes on BOSH, or Kubo. With the power of BOSH, PKS will not only simplifies the deployment of Kubernetes clusters through automation and orchestration, but also provides health-checks and self-healing of the underlying infrastructure for highly available, production-grade deployments.
Using BOSH, PKS will automate the entire network configuration required for Kubernetes clusters. This automation eliminates the risk of manual configuration errors, which can result in performance issues or, worse, security holes.
Networking with NSX-T
PKS will include VMware NSX-T, which offers advanced container networking and security features for Kubernetes clusters. NSX-T provides the complete set of Layer 2 through Layer 7 networking services that are needed for containers and pod-level networking. With NSX-T integration in PKS, enterprises will be able to quickly deploy networks with micro-segmentation and on-demand network virtualization without disrupting the development cycle.
PKS will enable enterprise IT teams to deliver a full-stack CNCF-certified Kubernetes container service that includes networking and storage services, a secure container registry, and service broker capabilities.
PKS will provide license entitlement, production support, and deep integration with VMware NSX-T.
With NSX-T, customers will get all the networking functions required for Kubernetes, including pod-level networking, ingress to services, and load balancing across multiple replica sets. In addition to the basic Kubernetes networking functions, customers will get advanced networking functions, such as network security policies and tenant-level isolation using the NSX-T multi-tiered routing model.
A key design concept of NSX-T integration with PKS is to assign a unique logical switch to each Kubernetes namespace. This provides the ability to segment the traffic of each namespace within a given Kubernetes cluster. Development teams will be able to choose to use a dedicated Kubernetes namespace within a shared cluster to secure their workloads from other teams.
Figure 2: NSX-T will offer pod networking with network isolation and load balancing
Secure Container Registry — Harbor
Harbor is an open source enterprise-class container registry server that stores and distributes container images. It provides production-grade authentication and role-based access to push and pull images. It also provides key registry services, such as integrated vulnerability scanning, image trust services, and image replication services.
With Harbor, container images can be safely and securely downloaded into Kubernetes clusters for application deployment. The Harbor registry enables production-grade image repositories for CI/CD pipelines. Customers can safely push container images into Harbor as part of their application release automation process. These images can be scanned for vulnerabilities and have their signatures validated by Harbor before they are allowed to be pulled into Kubernetes clusters as part of an application workload deployment process.
This gives development teams the platform to deploy applications quickly while still giving IT the control to enable the container images meet the security requirements of the enterprise.
Figure 3: Harbor is used to deploy images into Kubernetes clusters managed by PKS
While we recommend using the integrated Harbor container registry, PKS will also be able to be used with other container registries.
Persistent Storage with the vSphere Cloud Provider Plugin
PKS will enable you to deploy Kubernetes clusters for both stateless and stateful applications. It will support the VMware vSphere Storage for Kubernetes plugin which is part of Kubernetes through Project Hatchway. The plugin allows PKS to support Kubernetes storage primitives on vSphere storage; the storage primitives include volumes, persistent volumes, persistent volumes claims, storage classes, and stateful sets. The storage plugin also brings in enterprise-grade storage features. By using VMware vSAN, for example, you can extend storage policy-based management to applications running in a Kubernetes cluster.
GCP Service Broker
PKS will include a service broker that provides out-of-the-box access to GCP services. It will enable an operator to expose selected GCP services so that development teams can provision and consume GCP services by creating and managing “service instances” with the kubectl CLI or API. The GCP service broker supports offering GCP subscription services such as Google Cloud Storage, Google BigQuery, and Google Stackdriver. These services will be able to be consumed by applications running on-premises or from within GCP.
Support for PKS
PKS users will be entitled to production-level support. Both Pivotal and VMware provide world-class global support services to meet the needs of the most demanding production environments. Please note that PKS will require vSphere 6.5.
Learn more about Pivotal Container Service (PKS)
To learn more about Pivotal Container Service, visit: https://cloud.vmware.com/pivotal-container-service
To learn more about NSX-T 2.1 release, read: http://blogs.vmware.com/networkvirtualization/2017/11/nsx-t-2-1.html/
To learn more about Pivotal Cloud Foundry 2.0, read: https://content.pivotal.io/announcements/pivotal-unveils-expansion-of-pivotal-cloud-foundry-and-announces-serverless-computing-product