Written by Mustafa Ali
Data EngineerWith the expansion of organizations, there is an increase in the development and production of clusters which involves creating and executing stable configuration and security policies across multiple environments, resulting in increased complexity and confusion. With Anthos Config Management (ACM), companies can automate and configure deployment in the shared environment and thus ensure approved security policies across Kubernetes clusters, on Google Kubernetes Engine (GKE), on-prem, and across other public cloud services providers too.
One of the critical challenges that we face in managing Kubernetes workloads running on a Hybrid set-up is applying configurations across multiple clusters and avoiding errors that affect all the environments simultaneously. A traditional approach is to set up a Github repository explicitly for Kubernetes configuration changes which are synced with multiple CI/CD pipelines. But the error rate and likelihood of things getting broken during the deployment cycle are significant.
Anthos Config Management (ACM) is a solution, which addresses the management of Kubernetes clusters across hybrid cloud environments and helps manage resources in a configuration-as-code manner that combines three components:
Policy Controller
Config Sync
Config Controller
Anthos Config Management continuously protects and configures the Google Cloud and Kubernetes resources through these components.
Simply by interacting with your Anthos Config Management Git repository, you can deploy and manage Kubernetes objects across multiple clusters. It's essential to secure your ACM repository, which might get attacked because it contains your credentials.
ACM allows you to deploy your shared environment configurations automatically. It also enforces a platform to apply approved security policies across GKE, on on-premises Kubernetes clusters and other public cloud platforms. It also lets platform admins configure Google Cloud services using the same resource model. It's handy to enforce policies such as:
Anthos Config Management uses a Git repository to store configuration(s) and its operators, which apply configs to selected clusters.
We can also use Anthos Config Management with GitLab to manage multiple Kubernetes clusters in a production environment. Securing the ACM repository is a vital deployment step.
The following diagram shows how we can apply ACM configurations with GitLab to manage multiple Kubernetes clusters, one in GKE, one in Anthos clusters on on-prem, and one in another cloud provider.
This diagram illustrates the following steps in the pipeline:
By default, GitLab uses roles to grant permissions on GitLab projects. For example, a user with the Developer role can open a merge request, and a user with the Maintainer role can approve the request. While this permission system can work well at first for Anthos Config Management, you might run into problems as your Kubernetes and ACM footprint grows. For example, the maintainers of the Anthos Config Management repository might get overwhelmed by the number of merge requests they have to process and approve.
Deploy multiple GKE clusters running in a shared project on a shared network in two regions and install Anthos Config Management. Follow the detailed steps for the configuration:
These operators are all managed as features using Hub.
When deploying a configuration set within a hybrid cloud environment, companies need to rely on a certified expert team that can help operationalize business needs in the cloud environment. As partners of Google Cloud, we have individuals who can collaborate with the clients, develop and manage the advanced services and products offered by Google Cloud.
To learn more about what we can offer, contact us at [email protected] or visit us at www.royalcyber.com