ibuildthecloud/k3v ibuildthecloud/k3v

  • Stars
    star
    684
  • Rank 66,068 (Top 2 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 5 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
ibuildthecloud/k3v
github

ibuildthecloud

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Virtual Kubernetes

k3v - Virtual Kubernetes

STATUS: Proof Of Concept

k3v runs as a dedicated virtual Kubernetes control plane. When pods are launched they are launched in another cluster. k3v uses the compute, storage, and networking resources from a real Kubernetes cluster. This allows one to take one physical Kubernetes cluster and chop it up into smaller virtual clusters. Also, it is theoretically possible that one virtual cluster spans multiple physical clusters.

Quick Start

Please note, this is POC quality stuff.

  1. Download k3v binary from the releases page. NOTE: While Windows and macOS binaries are available they probably won't work.
  2. Run k3v pointing to a kubeconfig file of your physical cluster. 
    ./k3v --kubeconfig someconfig.yaml
    If you kube config is in the standard $HOME/.kube/config then no argument is needed.
  3. Once started k3v will create a local folder ./k3v-data that has the virtual kubernetes state. Also ./kubeconfig.yaml will be created.
  4. Use ./kubeconfig.yaml to talk to k3v 
    kubectl --kubeconfig ./kubeconfig.yaml --all-namespaces=true get all

Benefits

The reasons for experimenting with virtual clusters are

  1. Better security/multitenancy
  2. Better separation of concerns between infra and custom controllers (operators)
  3. Ability to package complex k8s based applications

Security

Virtual clusters can help create a better model for hard multi tenancy.

Multitenancy in Kubernetes is hard for multiple reasons. First you must trust the security of a container. Meaning that one bad neighbor can't attack another neighbor. Virtual clusters does not help with this concern. To address this you need to trust containers or leverage another technology like gvisor or katacontainers. The second and more fundamental issue is that the attach surface of Kubernetes is far to large for multitenancy. Right now the only way to accomplish multi tenancy is to not allow users to do the vast majority of Kubernetes operations. It is far too difficult to ensure that all the various APIs will not expose some issue. But limiting access means an end user can't leverage a lot of functionality of Kubernetes, such as operators.

Virtual clusters allow you to separate out the problem into two distinct layers. First you need a secure and very limited physical cluster. A virtual cluster only requires very basic CRUD privileges on pods, services, endpoints, configmap, secrets, and pvcs. It is far easier to secure this small set of APIs. Then tenants can be given access to a virtual kubernetes instance and given full cluster admin privileges. They can do whatever they want with Kubernetes and you can be confident they won't impact another neighbor.

Separation of Concerns

Kubernetes is a great architecture that allows one to write things such as operators or controllers to manage your infrastructure. Unfortunately each operator or controller you add to a cluster could have larger impacts on the cluster. Today, if you want an operator, really a cluster admin must install that for you. And more importantly, the cluster admin must have confidence the operator won't do harm to the cluster. This is not a scalable model.

With virtual clusters you can setup large, rather boring physical clusters. One team can be responsible for the core uptime of this cluster. Then each virtual cluster can install operators or any random component as they wish, with a high degree of confidence that if something goes wrong it only impacts this one virtual cluster.

Kubernetes Based App Packaging

If you write a complex Kubernetes based application (think istio or such) one could package this application in a virtual cluster and deploy it in a cluster much like a normal controller, but with no CRDs. No matter what madness that application does (CRDs, finalizers, webhooks, etc) it is all nicely encapsulated.

License

Copyright (c) 2019 Rancher Labs, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

More Repositories

1

systemd-docker

Wrapper for "docker run" to handle systemd quirks
Go
716
star
2

klum

Kubernetes Lazy User Manager
Go
295
star
3

only-docker

Docker as PID 1... what?!
Shell
161
star
4

finalizers

Stupid Finalizers
Go
108
star
5

coreos-on-do

Script to install CoreOS on Digital Ocean
Shell
97
star
6

wtfk8s

Watch and print changes in k8s
Go
82
star
7

gitbacked-controller

Write controller-runtime based k8s controllers that read/write to git, not k8s
Go
50
star
8

kvsql

Storage backend for Kubernetes using Go database/sql
Go
35
star
9

cowbell

Simple web hooks for rancher
Go
16
star
10

k3s-operator

Stupid simple controller to create local k3s clusters
Go
9
star
11

jenkins-acorn

An Acorn for a Jenkins server running against Kubernetes
Dockerfile
7
star
12

os2

not OS/2
Dockerfile
7
star
13

rancher-charts

Clone of Helm stable charts
Smarty
5
star
14

iwontbuyadomain

I won't buy a domain.
HTML
4
star
15

webhook-demo

Demo webhook application for Acorn
JavaScript
4
star
16

docker-ubuntu-kvm

Scripts used to create ibuildthecloud/ubuntu-kvm
Shell
4
star
17

steve-example

Go
3
star
18

wsudp

An ever so important websocket to UDP bridge to connect quakejs to a native quake3 server
Go
3
star
19

home

My ${HOME}
Shell
3
star
20

k3os

nothing to see here
Go
3
star
21

baaah

K8s Controller Framework made out of pure frustration
Go
3
star
22

my-repo

JavaScript
2
star
23

herd

Cute Fluffy Portable Apps
Go
2
star
24

wonka

Running dockerized apps like a pro
Go
2
star
25

cros

my devscripts for chromiumos
Shell
1
star
26

ibuildthecloud.github.io

HTML
1
star
27

docker-ubuntu-core

Script used for docker image ibuildthecloud/ubuntu-core
Shell
1
star
28

docker-networking-notes

Business, Business, Business, Numbers... Is this working?
1
star
29

dstack

A sandbox for Darren's opinions and code
Java
1
star
30

fleet-simulator

Shell
1
star
31

acs-launcher

Simple main class to launch Apache CloudStack in Eclipse in a fast way
Java
1
star
32

fleet-kitchensink

Deploy everything (this takes a lot of memory)
1
star