Kubernetes in the enterprise - implementation is not a DIY exercise

The rise of Kubernetes from an overly complicated open-source project that few outside Google understood into the preferred platform for next-generation applications that threatens VM hegemony is nothing short of astonishing. As I first noted almost three years ago, Kubernetes was already destined to vanquish Docker's container management software as the workload orchestrator of choice for both cloud-natives and large enterprises.

There are many reasons why containers with Kubernetes are fast becoming the preferred environment for both enterprise and cloud applications, notably improved resource efficiency, automated scalability, cloud portability and the interfaces needed for programmatically automated DevOps toolchains (CI/CD). Every major enterprise infrastructure stack, whether from VMware, Microsoft or Red Hat, now includes a container execution environment and Kubernetes-based management software.

Multiple data sources show that containers have become ubiquitous in enterprise IT. For example, the recent Flexera State of the Cloud survey found that more than 80% of respondents currently or plan to use Docker containers and Kubernetes. Gartner expects that the number of enterprises running containerized applications will more than double, from 30% today to 75% by 2022. Indeed, as Barrons noted last fall, the rapid enterprise adoption of containers poses two significant risks for VMware, which dominates the market for VM software (emphasis added):

1. "Wall Street analysts estimate that roughly half of VMware’s business still comes from its original virtualization business."
2. "A recent Morgan Stanley survey of chief information officers showed VMware was one of the vendors most likely to lose market share as companies migrate workloads to the cloud over the next three years."

Unfortunately, the road to a containerized future is full of potholes as  IT organizations and developers struggle when adapting to the new technology. For example, the Flexera survey finds that about 80% of organizations have trouble finding container expertise, while a similar number have difficulty adapting to new security models and threat vectors. Similarly, almost three-quarters of Flexera respondents say that managing container environments is a challenge.

Boom times for commercial container software

The COVID-19 crisis has proven the wisdom of John Adams’ (a man familiar with tumultuous times) famous quote, “every problem is an opportunity in disguise.” In this case, the challenges accompanying enterprise adoption of Kubernetes has been a boon to companies selling packaged container products that turn a DIY open source software puzzle into a pre-built, ready-to-use environment.

Estimates done before the crisis, which I’ve posited will accelerate the adoption of cloud and related services, projected that the market for container software would grow 33 percent annually to about $5 billion in sales by 2023 as organizations seek more efficient and flexible platforms that can accelerate the pace of application development. If I’m right about cloud usage — and anecdotal evidence supporting the hypothesis accumulates every week (for example, note the second to last paragraph here) —  the actual growth should be higher. Also fueling container adoption is an IoT explosion as enterprises deploy smart devices and equipment and build a distributed data collection and analysis environment that can offload central systems yet be centrally managed.

Forrester has a reasonable categorization of the market, which I have summarized and augmented (with Apprenda and Joyner) below, in its New Wave report on Enterprise Container Platform Software Suites.

Container infrastructure - the digital enterprise’s manufacturing line

One of the market leaders, which, unlike many container startups has managed to resist being absorbed into an IT conglomerate, is Rancher Labs. Despite its name, Rancher started in Silicon Valley, not the plains of West Texas and gets the moniker from the axiom that cloud operators must treat servers like cattle, not pets. Rancher brought this mechanistic philosophy to operating container infrastructure, which likewise is not an artisanal pursuit. Rancher’s software simplifies Kubernetes deployment and can manage both on-premises and cloud-hosted — AWS EKS, Azure AKS or Google Cloud GKE — environments and containerized applications from a single console.

A mix of features for both IT operations and development teams well positions Rancher for organizations that have adopted DevOps structures and practices. Sera4 is one such company that put Rancher at the center of its strategy to accelerate application delivery using Kubernetes. Jeff Klink, Sera4 VP Cloud and Security, and his technical team believed that moving from VMs to containers would significantly reduce the time needed to develop new services and activate new customers to its SaaS product, but Sera4’s IT and development teams had little experience with Kubernetes. They were drawn to Rancher for its ease of use and completeness and Klink says the payoff was an enormous reduction in the time to deploy new services, from six weeks using its old, VM-based system, to a few hours using containers with Rancher.

Sera4 isn’t your typical cloud-native Kubernetes enthusiast, which makes its path to and experience with containers all the more interesting. The Waterloo, Ontario-based company produces smart locks, controllers and related software for industrial uses that replaces physical keys with a cryptographically-secure combination of:

• A Sera4 physical padlock or lock controller
• Its Teleporte cloud service
• The Teleporte mobile app

Unlike consumer smart locks, Sera4’s products work with an IAM (identity and access management) system to authenticate users or groups to particular sets of locks. Like most IAM implementations, Sera4 supports role-based access controls (RBAC), access schedules (time-of-day, day-of-week), phone-based geolocation and lock groups. For example, a telecom technician might have access to remote switch boxes and base stations at all hours, while a vendor doing repairs to a piece of equipment would be limited to a particular day and time. Sera4 is significantly different from most consumer and industrial smart locks since it doesn’t use native Bluetooth security to access and activate locks, but rather a patented system protected by TLS and public key cryptography that Klink says eliminates Bluetooth’s security holes.

Klink says that with Rancher’s help, Sera4 overcame several challenges during its migration to Kubernetes, including:

• Scalability glitches and optimizations such as problems with intra-cluster communication causing containers to not correctly restart and the deleterious effects of latency when spreading workloads across multiple data centers.
• Fault tolerance such as runaway workloads exhausting cluster resources and the need to configure limits on container resource consumption.
• The use of microservices and Kubernetes sidecars to group, deploy and scale as a group services used by multiple applications.
• Kubernetes’ security model and issues integrating container security controls with Sera4’s SSO system.
• Accommodating data sovereignty regulations when operating data centers in four regions. Klink says the ability to control the placement of customer data using Rancher’s central management console is critical to its ability to comply with relevant regulations and customer needs.
• Employee training and transitioning into new roles.

On the last point, Klink credits the open source Kubernetes ecosystem with accelerating the process:

We needed to grow up fast, and we did, mainly due to some of the tooling and toolsets provided to us by the  management platform we selected and support from the Kubernetes community. It is essential to have a partner that has your back when developing your skills base.

Now that Sera4 has ascended the Kubernetes learning curve and entirely migrated to containerized applications, Klink sees several benefits.

• Faster response time for new service requests and greater scalability to quickly handle large orders. For example, Klink says Sera4 can add a new customer with 10,000 locks in hours versus the days it once took to provision the necessary servers and VMs.
• Lower costs
• Greater customer convenience with a single console to manage locks in multiple locations.
• Higher availability with no disruptive software updates and a 20 percent reduction in system outages.
• Full compliance with data sovereignty regulations in multiple countries.
• Centralized logging with more complete auditing and monitoring along with improved capabilities for remote monitoring, which is critical in these times when operations teams might be working from home.

Equally important, according to Klink, has been the marketing advantages of using Kubernetes, which boosts the company’s technical authority as a leader in cloud software:

When we meet with a potential new customer, we immediately have technical street cred with developers and IT engineers.

My take

Containers only become feasible as an enterprise application platform when rounded out with an ecosystem of related services for container and workload management (Kubernetes), image storage and registration, security policy enforcement, monitoring, reporting and, eventually, service routing (mesh, e.g. Consul, Istio, Kuma, et. al.). Products like Rancher and its competitors, along with the container service portfolios from the big-three cloud vendors fill the gap between raw open source technology and a viable, production-quality enterprise system.

While container technology was developed and initially deployed by the cloud providers, online consumer services (think Netflix, Uber) and cloud-native startups, it has matured to the point of being suitable for any enterprise operating large-scale applications and services. Companies like Sera4 can serve as positive role models for organizations afraid that a container/microservice-based architectural reboot of their infrastructure and applications is a bridge too far. It demonstrates that the available software, cloud products and support services put Kubernetes within reach of any technically competent IT organization.

Whether it involves containers or redesigns of other IT systems, organizations that courageously stick with strategic plans will find themselves at a competitive advantage once the eventual economic miasma passes and potential customers are looking for a willing, able and progressive business partner.