KCD 2023 - AKS unlighted, But what about security and Multi-tenancy?
Today I spoke and had a workshop at Kubernetes Community Days (KCD) 2023. And what a day it was. Arround 450 people where there on this day and the day before even more.
In our talk together with Jurgen Allewijn and Myself, we described the usecase how to overcome the challenges in setting up Azure Kubernetes Service (AKS) in such a way that it is secure, multi-tenant and compliant with the local government regulations (SCF, SMCF, DPIA, NORA and BIO).
Like many companies, the City of Amsterdam is adopting Container Technology as part of their Cloud Roadmap Strategy. The goal is to empower the workload teams with the latest technology and the DevOps way of working. On the Cloud Journey, the Cloud-Ops and Workload teams concluded that it isn’t just enabling “AKS”. It also requires a lot of management and Kubernetes knowledge, which is currently not present by most of the workload teams.
The decision was made to create a Shared-AKS (DTAP) offering for all the workload teams within the City of Amsterdam, which led to cost savings and central management. To achieve this goal, the choice of multi-tenancy was born. New challenges arose concerning the security and compliance regulations. One of the biggest challenges was segmentation of applications, which is by default not in nature of Kubernetes.
Benefits for the community Sharing a Real-life use case in setting up a Multi-tenant Kubernetes with experience out of the field in a complex environment which is limited by compliant government regulations. It is not just “enabling” AKS and you are finished.
This talk helps bring clarity to create a Multi-tenant Kubernetes Environment based on agentpools in a secure, segmented and compliance way to all your workload teams, facilitating them in the needed protected cloud environment and a self-service offering.
This solution is based on Azure Kubernetes Service, enriched with technologies like Nginx, Calico, Open Policy Agent, Azure Container Registry, Azure Policies, Tagging, KUbernetes REboot Daemon, Azure KeyVault, Application Gateway, ServiceMesh, Container Security, Container Logging and Monitoring.
In the end the environment is deployable by infrastructure as code pipelines, protected, compliant and gives the possibility to use the power of Kubernetes and the Public Cloud like scaling on demand. This gives the needed flexibility to the City of Amsterdam, to follow the OpenSource strategy, using the latest technology and implementing the DevOps way of working.
The presentation can be viewed via this link.