logo
allArticlesConferencesPresentations

Dedicated Infrastructure in a Multitenant World

Conference:  KubeCon + CloudNativeCon Europe 2021

Authors:   Carlos Sanchez

Summary

The presentation discusses the challenges of running multitenant Kubernetes clusters and the solutions implemented by Adobe Experience Manager Cloud Service to provide customers with their own dedicated infrastructure while maintaining multi-tenancy on the Kubernetes cluster. The solution involves using Envoy to run networking tunnels between Kubernetes pods and customer dedicated infrastructure, enforcing encryption and mutual authentication using certificates.
  • Running multitenant Kubernetes clusters is challenging, particularly when different tenants require their own dedicated infrastructure
  • Adobe Experience Manager Cloud Service built solutions to provide customers with their own dedicated infrastructure while running most services in multitenant Kubernetes clusters
  • Envoy is used to run networking tunnels between Kubernetes pods and customer dedicated infrastructure, enforcing encryption and mutual authentication using certificates
  • The solution allows different pods to have their own dedicated egress IP instead of the cluster's, or connections from pods to multiple customer on-premise services using VPN
  • The solution is provisioned automatically using Terraform, Terragrunt and other services
Adobe Experience Manager Cloud Service faced the challenge of providing customers with their own dedicated infrastructure while maintaining multi-tenancy on the Kubernetes cluster. They implemented a solution using Envoy to run networking tunnels between Kubernetes pods and customer dedicated infrastructure, enforcing encryption and mutual authentication using certificates. This allowed different pods to have their own dedicated egress IP instead of the cluster's, or connections from pods to multiple customer on-premise services using VPN. The solution was provisioned automatically using Terraform, Terragrunt and other services.

Abstract

Running multitenant Kubernetes clusters is challenging, particularly when different tenants require their own dedicated infrastructure. At Adobe Experience Manager Cloud Service we built solutions to provide customers with their own dedicated infrastructure, such as ips, DNS, VPN connectivity,... while running most services in multitenant Kubernetes clusters. We will share how we built our solution making extensive use of Envoy to run networking tunnels between Kubernetes pods and customer dedicated infrastructure, enforcing encryption and mutual authentication using certificates. This allows, for example, different pods to have their own dedicated egress ip instead of the cluster's, or connections from pods to multiple customer on-premise services using VPN. The solution is provisioned automatically using Terraform, Terragrunt and other services.
Materials:
Slides
Tags:

Post a comment

Related work

Secure Multi-Tenant GitOps Application & Infrastructure Rollouts At Adobe

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Vikram Sethi, Manabu McCloskey
2022-10-26

What Kind of CPU is it Anyways? Airbnb's Journey to Heterogeneous Clusters

Conference:  KubeCon + CloudNativeCon North America 2021
Authors: Evan Sheng, David Morrison
2021-10-13

Kubernetes Privilege Escalation: Container Escape == Cluster Admin?

Conference:  Black Hat USA 2022
Authors:
2022-08-11

Bring Your Own Token (BYOT) to Replace the Traditional Smartcards for Strong Authentication and Signing

Conference:  BlackHat EU 2019
Authors:
2019-12-04

Towards Something Better Than CRDs In a Post-Operator World

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Stefan Schimanski
2022-10-27

Secure your cluster-to-cluster traffic, the agnostic way

Conference:  KubeCon + CloudNativeCon North America 2021
Authors: Pauline Lallinec, Dave Kerr
2021-10-15