You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

Welcome to CloudVeneto's Experimental Container-as-a-Service (CaaS) Platform!

CaaS provides an easy way to run containerized software packages in the cloud. Unlike the more widely recognized Kubernetes-as-a-Service (KaaS) model, where users are responsible for creating and managing their Kubernetes clusters, with CaaS we offer a fully managed orchestration platform as a cloud service. This means you don't need an in-depth understanding of Kubernetes infrastructure management. Instead, you can effortlessly deploy your containers to our Kubernetes-based platform using the straightforward kubectl command line interface.

Please be aware that our CaaS service is currently in an experimental phase, so some issues may arise. If you encounter any problems, we kindly ask you to report them to support@cloudveneto.it. Your feedback is invaluable for enhancing the quality of our service.

In this section, we will guide you through the process of accessing our CaaS platform and running your containers.


Overview

Before accessing the platform, it is important to grasp some key concepts about the architecture, usability, security, and a few limitations. We assume that you already have a basic understanding of Kubernetes (https://kubernetes.io).


The Architecture

Kubernetes manages your workloads by placing containers in pods, which are then scheduled to run on nodes. In our CaaS, each node is essentially a virtual machine provided within the CloudVeneto infrastructure. These nodes are under your control but are configured by our platform. In contrast, the control plane, responsible for orchestrating container deployments and cluster management, is fully managed by CloudVeneto.

This separation of responsibilities ensures a streamlined user experience while providing the following benefits:

  • Flexibility: You have the freedom to manage your nodes according to your specific requirements in terms of CPU, RAM, and storage (flavor) without to worry about their setup.
  • Isolation: Your pods run on dedicated nodes, effectively creating a virtual cluster tailored to your needs.
  • Resource Sharing: You can share one or more nodes with users who belong to your CloudVeneto project.
  • Service Deployment: You can either use pre-deployed services (e.g., nginx) or deploy new ones in your own namespace. 

Please note that the nodes you create utilize the quota assigned to your CloudVeneto project. Therefore, the size of your virtual cluster is constrained by the available resources at any given moment. Since node creation typically takes just a few minutes (usually less than 5 minutes), we encourage you to create new nodes as needed but also to promptly remove them when they are no longer necessary in order to conserve cloud resources.

Security

Running pods on your own nodes (i.e., virtual machines) ensures a high level of isolation. However, Kubernetes doesn't provide complete isolation for users within the same namespace. To address this specific limitation, we have introduced integrated add-ons for Kubernetes. These enhancements include authentication mechanisms based on Keystone and IAM tokens, along with refined authorization procedures to ensure comprehensive user and resource isolation.

Kindly be aware that pods running on shared nodes do not achieve full isolation as they share the same computing resources (virtual machine) and rely on the security capabilities of the container runtime, such as Docker or Containerd.

How to access the CaaS

Accessing the CaaS requires proper configuration of kubectl, the Kubernetes management client.

To simplify the configuration and authentication process, two distinct plugins for kubectl have been developed: kubectl-openstack and kubectl-iam. These plugins are differentiated based on the type of authentication required.

  • kubectl-openstack: This plugin is required for all users registered with CloudVeneto and is based on the OpenStack authentication model, using the Keystone token.

  • kubectl-iam: This plugin is required for all INFN users external to CloudVeneto, who are registered with one of the IAM services supported by our cluster (by default: "https://iam.cloud.infn.it" and "https://iam.quantumtea.it"). QUESTO PUNTO VA CHIARITO

Configuring kubectl with the kubectl-openstack plugin

Prerequisites

  • install kubectl (guide)
  • have an OpenStack password configured through the CloudVeneto dashboard.

Plugin installation

Download the kubectl-openstack file and copy it to /usr/local/bin/ . You may need to make the file executable (chmod 755 kubectl-openstack).

$ kubectl-openstack --help
Usage: kubectl-openstack [FLAG] -user <USERNAME> -password <PASSOWRD> -project <PROJECT>

Options:
  -force
    	overwrite the existing configuration
  -password string
    	your CloudVeneto password
  -project string
    	your CloudVeneto project
  -user string
    	your CloudVeneto username

Usage

To view the syntax and the list of parameters use the help:

$ kubectl-openstack --help
Usage: kubectl-openstack [FLAG] -user <USERNAME> -password <PASSOWRD> -project <PROJECT>

Options:
  -force
    	overwrite the existing configuration
  -password string
    	your CloudVeneto password
  -project string
    	your CloudVeneto project
  -user string
    	your CloudVeneto username
  • No labels