CSC/ECE 517 Fall 2023 - NTX-3 Usability and Security: Difference between revisions

Kubernetes

Kuberneters, or K8s, is an open-source container orchestration platform that automates many functionalities that are useful to many developers and projects, including the automation of deployment, scaling, and management of containerized applications.

Kubernetes simplifies and streamlines the process of managing containerized applications through:

- Container Orchestration: This functionality allows the user to define how the containerized applications should run, ensuring that the desired state of the application is maintained.

- Automated Scaling: This allows Kubernetes to automatically scale applications based on certain metrics, which ensures that the services are always responsive and reliable.

- Self-healing: Kubernetes monitors the users applications health and will automatically replace or reschedule failed or unresponsive containers.

- Load Balancing: This functionality automatically balances loads coming to containers, ensuring an equal amount of workloads between all containers in an efficient fashion.

- Rollouts and Rollbacks: Kubernetes allows controlled updates to applications, which allow smooth rollouts of new versions as well as easy rollbacks if necessary.

These many functionalities allow many different users to create and manage many different containers in an easy and efficient way.

Nutanix Database Service

The Nutanix Database Service is a hybrid cloud database-as-a-service that allows users to efficiently manage their databases. It supports Microsoft SQL server, Oracle Database, PostgreSQL, MongoDB, and MySQL. Through its many features, users are able to provision new databases, automate tasks like patching and backups, and choose the right operating systems, database versions, and database extensions for their needs.The Nutanix Database Service allows customers from all over the world to simplify their databases on various locations, including on-premises, colocation sites, and public clouds.

The features of the NDB Service:

1. The NDB Service allows its users to manage the entire database lifecycle through provisioning, scaling, versioning, and patch automation.

2. Users can manage many databases across various locations, including on-premises, colocation sites, and public clouds from one control plane. The supported databases are Microsoft SQL Server, Oracle, PostgreSQL, MySQL, and MongoDB.

3. Using API integration coupled with infrastructure management and development tools allows users to provision the self-service database for both dev/test and production.

4. Users are able to roll out patches over either some of their databases, or their entire database, to protect against security threats. Users are also able to ensure compliance with regulatory requirements by restricting access to databases through role-based access controls.

External Secrets Operator and its Tradeoffs

Another potential solution is using the Kubernetes External Secrets Operator. This operator integrates many other secret management systems, including the HashiCorp Vault as well as AWS Secrets Manager, Google Secrets Manager, Azure Key Vault, IBM Cloud Secrets Manager, and CyberArk Conjur. The External Secrets Operator reads information from these external secret management systems and injects it into a Kubernetes Secret.

The above image shows the high level architecture of the External Secrets Operator. However, the problem with this solution is that it requires using an external secret management system for this operator to retrieve and inject into a Kubernetes secret. Currently, an external secret manager is not in use, so this solution will not be as effective as the previous solution in the NDB Kubernetes Operator in its current state.

Additionally, this operator does not have the ability to control and restrict access to Kubernetes resources. This function can be implemented through Kubernetes’ built-in mechanism, Role-Based Access Control (RBAC). This allows the ability to define access control policies that specify which users have permissions to perform actions on various Kubernetes resources, including secrets.