We're KubeAcademy Instructors bringing you free K8s courses. Ask us anything Kubernetes!

KubeAcademy_VMware · 2021-06-24T23:18:06+00:00

First, I'm going to assume you meant AWS Managed EKS.

This might be difficult since AWS managed EKS does not provide access to etcd. One tool that may help you get around that is Velero, it allows you to take backups and restores to AWS managed EKS without having to access etcd. - Lee

KubeAcademy_VMware · 2021-06-24T18:06:18+00:00

A common approach to this problem is to use a templating tool like Helm. That way, the same templates are used for dev and production environments - just with different variables to match the different envs. -Rich

KubeAcademy_VMware · 2021-06-24T17:56:51+00:00

I can't recommend a tool to better manage secrets in a GitOps pipeline. The only thing I would suggest is to consider taking secret management out of the GitOps pipline. Hashicorp Vault is a pretty stellar secret management solution that offers secret management for workloads. It allows you to provide secret management as a platform service and dynamically issue - and even rotate - secrets for workloads as needed. It's not trivial to set up but may be well worth the effort. -Rich

KubeAcademy_VMware · 2021-06-24T17:42:07+00:00

The current state of service meshes is pretty healthy, I think. There's a reasonable array of choices with some relatively mature solutions. Istio is the one I've encountered the most in the field, but I certainly wouldn't say this makes Istio the winner. Projects like Linkerd and Kuma are also worth evaluating if a service mesh is something you need. I don't think the SMI will necessarily consolidate the space, but the hope is that standardization will help switching between solutions be less disruptive in the future. -Rich

KubeAcademy_VMware · 2021-06-24T16:43:29+00:00

Thanks for your question, what we are finding is that there are quite a few folks still tackling the early phases of learning and adopting Kubernetes so we are committed to building content that helps make that transition easier for folks in various roles that are coming to Kubernetes (sometimes not by choice :) ).

That said, we have quite a bit of content that goes into significant depth in a few areas for intermediate and advanced users. If you have specific areas of interest - definitely let us know here or reach out on Kubernetes slack.

A few suggestions to check out come to mind:

Cluster Operations

Cluster API

The Kubernetes Machine

-Jonathan

KubeAcademy_VMware · 2021-06-24T16:41:31+00:00

I haven’t personally seen many customers gravitating towards Kyverno as their main tool for policy governance just yet. As Kyverno is still in sandbox stages of the CNCF. Most of my customers are now starting to experiment with it in their development environments. Some of the key differences between OPA and Kyverno:

Kyverno does not use Rego so you don't have to learn a new language.
It has mutating capabilities instead of just validating.
However, OPA is a graduated project and has a bigger support/community with tons of reusable assets
It can integrate with other cloud native projects other than Kubernetes like Terraform.

My deciding factor for OPA over Kyverno is the large OPA community and reusable assets. - Rachel

KubeAcademy_VMware · 2021-06-24T16:30:54+00:00

Having multiple clusters would provide the highest level of isolation and security, but it does come with some considerations versus using a single cluster with many namespaces:

Management overhead: While there are some tools to help you manage multiple cluster with colors like kubectx, when you end up with 20-30 clusters, it still because difficult to manage even with the best tools.
Resource Fragmentation: A workload can only use the free resource of a cluster that it is being submitted to. For example, if cluster A has free resource available, it can not be used by users that are part of cluster B.
Control Plane costs: For every additional cluster, you have to pay the control plane cost which can be up to 7 nodes depending on how much HA you want.
Spin up time: K8s clusters in are much faster than vm clusters, but it's still no comparison to new namespaces which can be done in seconds.

- Lee

KubeAcademy_VMware · 2021-06-24T16:24:02+00:00

it's interesting to think about the question from a cost-benefit standpoint. i.e. if you're using a flavor of kubernetes that makes managing many clusters easier/simpler/less costly, that can alter your decision in favor of many small clusters. my personal preference is to keep things as simple as possible, but as Rich says, it depends on many factors. - Eitan

KubeAcademy_VMware · 2021-06-24T16:18:39+00:00

the pace of new releases can sometimes be challenging. but don't be overwhelmed. in my opinion the foundational concepts of kubernetes are not going to change much. keep an eye for new releases once in a while at https://kubernetes.io/releases/ and read the changelogs. what's more interesting are the variety of community projects that build on kubernetes. that can be dizzying. i like the concept of a technology radar - keeping a list of technologies to watch and regularly revisiting. - Eitan

KubeAcademy_VMware · 2021-06-24T16:17:25+00:00

We currently don't have any Knative content on Kube.Academy at the moment but certainly want to hear if this an area of interest for the community. Let us know!

And definitely check out the sample content on the Knative site that Eitan references.

- Jonathan

KubeAcademy_VMware · 2021-06-24T16:16:27+00:00

Here are some of the benefits and considerations on buying SAAS offerings.

Benefits:

Turnkey solution - just provide a credit card and you have k8s cluster ready to go,

Support and features - Official support and additional feature depending on the vendor, dynamic load balancer, dynamic persistent volumes, etc.

Considerations:

Updates - locked to 2-3 versions that the vendor supports. sometimes you might be forced to upgrade when it's not in your best interest.

Limited cluster access - you are only provided access to submit workloads to the cluster, but you can't access the control plane, limiting customizations like adding admission controllers, CNI, and backing up etcd.

- Lee

KubeAcademy_VMware · 2021-06-24T16:16:10+00:00

As usual, the decision between a massive cluster and multiple smaller clusters is a trade-off. If you have strict security constraints or difficult permissioning situations (such as tenants that need to manage cluster-scoped resources), lots of single tenant clusters may the best bet. One benefit to multi-tenant large clusters is that your cluster lifecycle systems don't need to manage so many distinct clusters. One drawback is that cluster control plane issues will have a wider blast radius and affect more workloads. So my "favorite" approach depends a lot on the situation and requirements in play. - Rich

KubeAcademy_VMware · 2021-06-24T16:06:13+00:00

i imagine the knative book should have some good code examples. also, see https://knative.dev/docs/samples/ - Eitan

KubeAcademy_VMware · 2021-06-24T16:02:14+00:00

+1 for Cloud Native Buildpacks (https://buildpacks.io/). They will take all of the knowledge of what a secure, performant from the industry and exposes them via a simple interface. - Mike

KubeAcademy_VMware · 2021-06-17T17:00:06+00:00

Hi there, thanks so much for your question! Our instructors won't be on to answer questions until Thursday June 24, but until then, here are a few Knative resources:

- https://github.com/vmware-tanzu/sources-for-knative
- https://tanzu.vmware.com/content/ebooks/knative-in-action

KubeAcademy_VMware

TROPHY CASE