►
Description
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Dedicated Infrastructure in a Multitenant World - Carlos Sanchez, Adobe
Running multitenant Kubernetes clusters is challenging, particularly when different tenants require their own dedicated infrastructure. At Adobe Experience Manager Cloud Service we built solutions to provide customers with their own dedicated infrastructure, such as ips, DNS, VPN connectivity,... while running most services in multitenant Kubernetes clusters. We make extensive use of Envoy to run networking tunnels between Kubernetes pods and customer dedicated infrastructure, enforcing encryption and mutual authentication using certificates. This allows, for example, different pods to have their own dedicated egress ip instead of the cluster's, or connections from pods to multiple customer on-premise services using VPN. The solution is provisioned automatically using Terraform, Kubernetes operators and other services. We have previously shown the architecture we built to run this service, and we will provide updates on what worked well, what didn't and the lessons we learned running it in production.
A
Hello,
my
name
is
carlos
sanchez
and
I'm
here
to
talk
to
you
about
dedicated
infrastructure
in
a
multi-tenant
world.
Why
would
you
care
about
this?
Our
use
case
was.
We
have
multi-tenant
kubernetes
clusters
where
each
tenant
may
want
to
have
dedicated
networking
features
like
dedicated
ips,
dedicated
network
connections
or
vpn
connections.
Things
like
that,
and
we
built
this
solution
on
top
of
envoy
and
I
think
it's
for
us.
A
A
So
let's
go
I'm
a
cloud
engineer
at
the
adobe
experience
manager
cloud
service,
that's
the
product,
I'm
going
to
talk
to
you
about
today
and
where
we
built
this
at
adobe,
and
my
background
is
a
lot
of
option
source
work
over
the
years.
I'm
the
author
of
the
yankees
kubernetes
plugin,
I
started
years
ago
and
I'm
a
long
time
open
source
contributor
at
open
source
projects
like
jenkins,
maven,
puppet
and
so
on.
A
So
brief,
introduction
about
the
experience
manager
is
a
content
management
system,
digitalizes
asset
management,
digital
enrollment
and
forms
and
is
used
by
many
14
100
companies.
This
was
even
before
the
cloud
service
was
was
created
and
it
was
already
a
distributed
java,
osgi
application
that
used
a
lot
of
open
source
components
from
apaches
of
our
foundation,
and
it
has
a
huge
market
of
extension
developers
writing
code
for
aem,
so
adobe
experience
manager
on
kubernetes.
A
We
took
what
was
already
there.
We
started
running
it
in
kubernetes
like
a
couple
of
years
ago
running
on
asia.
We
have
more
than
18
clusters
already
across
multiple
regions.
U.S
europe
all
over
the
world,
and
an
interesting
point
is
that
we
have
adobe
has
a
dedicated
team
that
runs
the
clusters
for
us
and
for
other
products.
A
A
A
A
So
we
built
the
solution
on
top
of
envoy,
we
run
envoy
on
virtual
machines
and
we
run
envoy
on
both
sidecars
inside
kubernetes
and
that's
a
bit
of
how
the
whole
system
works
on
on
the
setup
or
the
architecture
we
have
like
each
tenant.
We
give
them
a
virtual
network
and
a
virtual
machine
how
to
scale
set
and
load
balancer.
These
virtual
machines
are
running
envoy.
A
The
v-net
can
be
privately
connected
to
the
customer
network,
so
if
they
wanted
to
have
this
vpn
or
if
we
wanted
to
support
express
route
things
like
that,
we
could
use
the
cloud
provided
features
and
products
to
connect
this
v-net
to
the
to
the
customer.
So
the
v-net,
where
the
envoy
vms,
are
running
the
load
balancer
in
front
of
the
virton
machines,
provides
the
a
dedicated
public
rear
sip
that
is
only
for
those
vms.
A
On
the
kubernetes
side,
we
have
the
java
virtual
machine
configured
with
an
envoy
sidecar
as
an
http
proxy,
and
so
the
traffic
from
that
via
jvm,
is
going
to
the
invoice
sidecar
between
the
sidecar
envoy
and
the
envoy
in
the
virtual
machines.
We
have
an
http
2
tunnel
that
is
encrypted
and
authorized
with
mtls.
A
So
what
are
the
benefits
of
for
us
of
using
envoy?
It
is
for
for
the
java
virtual
machine.
We
have
a
simple
and
transparent
configuration,
we're
using
hdb
proxy
system
properties,
so
this
is
like
java
level
configuration
that
will
apply
to
most
or,
if
not
all,
the
http
connections
that
got
out
of
the
of
the
jvm,
and
we
can
also
support
any
other
protocols,
not
in
http,
by
using
different
listeners
on
the
envoy,
sidecar
and
all
traffic
from
that
pod
into
the
vms
is
encrypted.
A
The
virtual
network
on
nature
allows
us
to
configuration
of
vpn
private
connections
at
cloud
level
as
a
service
and
there's
nothing
else.
We
have
to
to
set
up
or
buy
infrastructure
and
anything
like
that
and
mtls
prevents
unauthorized
connections
and
also
one
tenant
connecting
to
another
tenant
envoy.
So
this
is
how
we
can
isolate.
A
We
just
put
tunneling
config
host
name,
what's
the
destination
host,
that
we
want
to
send
every
all
the
traffic
that
is
coming
through,
that
port
and
on
the
cluster
side
we
just
put
the
in
the
socket
address
the
destination
address
the
envoy
load,
balancer
that
it
and
the
port
that
where
the
load
balancer
is
listening,
so
those
are
the
main,
the
main
configuration
options
and
on
the
tls
configuration
we
use.
We
point
we
point
to
envoy
to
the
sds
configuration
files
for
the
certificates
and
the
certificate
authority.
A
A
We
have
one
dynamic
forward
proxy
for
cluster
for
all
the
destinations.
We
don't
have
to
com
to
hard
code,
any
destinations,
so
neither
on
the
listener
side
or
on
the
cluster
side,
so
on
the
listener
side,
http
connection
manager
and
port
443,
and
this
is
accepting
the
connections
from
the
invoice
sidecar,
and
we
also
need
to
configure
a
bit
differently.
What
https
and
http
is
and
the
braid
type
is
connect.
So
all
the
http
2
connections
coming
in
from
from
one
name
through
the
tunnel
they
get
sent
to
the
to
the
right
destination.
A
A
A
For
sds
configuration,
we
have
a
separate
file
because
this
way
allows
us
to
reload
the
certificates
we
have
having
to
touch
envoy
and
we
will
automatically
read
the
the
new
certificate
files
when
there's
they
changed
and
we
set
the
match.
Subject:
alt
names
so
we
use
the
sound
subject:
alternative
names
to
match
exactly
the
tenant
that
we
want
to
allow
in
those
set
of
vms.
So
the
tenant
that
is
set
on
this
side
has
to
match
the
tenant.
A
A
The
certificates
are
configured,
as
I
mentioned,
in
separate
sds
files,
and
this
ensures
that
they
are
automatically
reload
unchanged.
So
when
the
voltage
in
rotates
the
certificates
envoy
automatically
notices
and
the
ca
is
the
same
same
setup
just
two
different
files,
there
are
some
alternatives.
You
can
use
cert
manager
on
kubernetes
side
to
do
that,
rotation
for
the
sidecars
or
you
could
use
a
spfe.
A
A
What
about
employee
debugging?
This
is
something
that
is
probably
the
most
useful
advice
that
I
can
give
on
all
the
issues
we
hit
a
lot
of
tls
connection
errors
only
show
up
on
the
debug
logs
under
the
connection
component
and
when
there's
a
tls
connection
error.
The
client,
like
the
sidecar
side,
only
sees
the
socket
closing
messages
and
doesn't
get
any
feedback
on
why
it
is.
A
A
A
A
A
Some
issues
with
long-running
connections
and
typical
connections
for
database,
like
where
you
have
connection
pooling
or
lo
and
run
running
connections,
something
we
have
to
do
is
configure
max
stream,
duration
and
stream
idle
timeout,
because
otherwise
our
connections
were
getting
disconnected
very
early
and
we
had
also
to
increase
the
load,
balancer
timeouts,
to
make
sure
these
connections
didn't
get
dropped
but
yeah.
This
is
something
that
you
can
tweak
and
you
should.
If
you
have
long
running
connections
the
defaults,
don't
really
they
drop
the
connections
very
early
for
the
connection
pools.
A
A
A
So
that's
all
from
me.
If
you
have
a
use
case
like
this,
then
I
hope
this
helped
you
and
show
you
what
you
could
do
with
envoy
what
you
could
do
to
have
multi-tenant
kubernetes
clusters
and
also
have
a
dedicated
infrastructure
like
networking
this.
This
v-net
solution,
providing
a
v-net
for
each
tenant,
allows
us
to
use
any
of
the
cloud
providers
products
to
set
up
a
vpn.
We
could
set
up
a
dedicated
ips.
We
can
set
up
an
expert
route,
the
private
connections,
anything
like
that,
any
cluster.
A
Sorry,
any
cloud
provider
will
allow
you
to
do
that
once
you
have
a
virtual
network
and
then
the
configuration
with
envoy
and
all
this
architecture
with
envoy
allows
us
to
breach
the
the
gap
between
the
kubernetes
clusters
and
the
virtual
machines
with
ember
running
on
this
v-net.
So
this
this
is
one
solution
that
we
are
running
now
and
it
has
solved
a
lot
of
these
use
cases
for
us.
So
I
hope
it's
it's
also
useful
for
you
and
I
think
I
can
answer.