At KubeCon, Jim Bugwadia and Rachael Wonnacott, from Nirmata and Fidelity International, respectively, delivered a session focusing on platform engineering, multi-tenancy, and micro-segmentation. They discussed how these concepts contribute to secure and efficient platform engineering practices, aiming to reduce cognitive load for developers while maintaining security across shared infrastructure.

The Importance of Detail in Platform Engineering

Rachel opened with a lighthearted anecdote about Van Halen’s infamous backstage rider—their request for a bowl of M&M’s with no brown ones. This seemingly peculiar request was actually a test to ensure the crew had read their detailed contract carefully. Similarly, in platform engineering, attention to detail is crucial, as misconfigurations or oversights can lead to serious issues down the line. As platform engineers, it’s our job to be the guardians of these details, akin to monitoring the “brown M&Ms” of platform engineering.

The Challenges of Platform Engineering

Platform engineering aims to reduce the cognitive load for developers by abstracting away complexity. However, it also introduces its own set of challenges:

• Architectural Sprawl: As organizations grow, microservices architectures can become increasingly complex, making it difficult to manage and secure workloads.
• Hybrid Models and Security Threats: Many companies are operating in hybrid models, creating complexity in network layers and security concerns.
• Compliance and Audit Needs: Organizations, especially in regulated industries, often struggle to provide consistent evidence of security practices and meet audit requirements.

To address these challenges, standardization becomes a powerful tool. By embedding common features and security practices at the platform layer, organizations can reduce variability, simplify operations, and ensure security while enabling developers to focus on their core tasks.

Multi-Tenancy and Micro-Segmentation

Multi-tenancy refers to the ability to run multiple workloads on a shared platform while keeping them isolated from one another. It requires careful network segmentation to ensure secure communication between workloads. Micro-segmentation takes this further, dividing a larger network into smaller sub-networks to improve security and control.

There are different approaches to multi-tenancy in Kubernetes, including:

1. Cluster as a Service: One cluster per tenant, offering full isolation but higher overhead.
2. Namespace as a Service: Tenants share a cluster, but workloads are isolated within namespaces, allowing for resource sharing.
3. Control Plane as a Service: Virtualized control planes provide isolation similar to Cluster as a Service but share worker node resources.

At Fidelity, the team uses Namespace as a Service, which allows them to manage developer environments while reducing the risk of cluster sprawl and operational overhead. Teams can request a “workspace” which contains one or more namespaces for their applications, with RBAC and multi-tenancy boundaries automatically enforced.

Tools for Implementing Security and Isolation

For achieving security and network isolation, Fidelity uses Cilium and Kyverno—two open-source projects that complement each other well.

• Cilium is a CNI (Container Network Interface) solution that enhances Kubernetes’ network security. It provides network policies to control traffic flow between applications, and observability tools to track network activity.
• Kyverno is a policy engine that automates security best practices by generating and enforcing policies for Kubernetes clusters. It can mutate, validate, and clean up resources, ensuring they comply with defined standards. In this context, Kyverno is used for generating Cilium policies and to provide guardrails around network policies teams can define for their applications.

In their demo, Jim showed how Kyverno and Cilium can be used together to manage network isolation and enforce security policies. For example, Kyverno automates the creation of network policies, ensuring traffic between workloads follows strict security protocols.

Benefits of Namespace as a Service

Rachel discussed how Fidelity uses Namespace as a Service to avoid the complexity of managing multiple clusters. By centralizing workloads within a shared Kubernetes cluster but isolating them using namespaces, Fidelity:

• Reduces operational overhead by eliminating cluster sprawl.
• Ensures consistent security practices across all workloads.
• Provides self-service capabilities for developers, allowing them to deploy workloads with pre-configured security policies.

This approach also simplifies cost management, as developers can use a shared set of resources, and the predictable cost model makes budgeting easier.

The Demo: Network Policies in Action

In the live demo, Jim demonstrated how Kyverno and Cilium work together to enforce security and network isolation:

1. Namespace Creation: Kyverno enforces labeling for namespaces with the required workspace and tier labels.
2. Pod Labeling: Kyverno automatically applies namespace labels to all pods created in the namespace. This is essential to manage traffic to and from pods.
3. Traffic Control: Kyverno generates Cilium network policies that enforce traffic rules based on labels, such as allowing DNS traffic from a namespace, or allowing traffic in a workspace.
4. Application Segmentation: For a sample guestbook application, Jim showed how to enforce tier-based segmentation using network policies, ensuring that the front-end and back-end of the application are isolated, and policy-based guardrails can prevent erroneous or malicious flows, such as allowing traffic from the backend tier to the public internet.

The demo highlighted how policies can be automatically enforced, ensuring that workloads are isolated and secure while offering developers flexibility within their assigned namespaces.

Key Takeaways

1. Platform Engineering aims to reduce cognitive load for developers, but it also requires careful attention to detail and standardization to ensure security.
2. Multi-Tenancy and Micro-Segmentation are essential for securing workloads in shared infrastructure environments, allowing for effective isolation.
3. Cilium and Kyverno provide complementary capabilities for securing Kubernetes environments, from network isolation to policy enforcement.
4. Namespace as a Service offers a balance between reducing complexity and ensuring security, making it an ideal choice for managing workloads in large organizations.

Conclusion

The session concluded by emphasizing that platforms, while often seen as boring infrastructure, are critical to driving business value. By standardizing network and security practices and using tools like Cilium and Kyverno, platform engineers can provide secure, self-service environments for developers.

To learn how to automate security and operations, check out Nirmata Control Hub today.