Technical Implementation of Managing Modern On-prem
Currently, the best implementations of Modern On-prem put Kubernetes at the center. The application vendor creates a Kubernetes-based application and distributes it to an enterprise to deploy into their existing Kubernetes cluster. By deploying into existing Kubernetes clusters, enterprises can leverage the same deployment pipelines they use to deploy 1st-party applications. Using the same deployment pipelines means that all applications are managed in a unified and standard process. Generally, this means they have a pipeline created that involves some sort of VCS, CI, container registry, and target Kubernetes cluster(s). There are several areas that should be taken into consideration when setting up the cluster, deployment pipeline, and access control. We’ll cover each briefly with a link to a more detailed sample implementation.
The Kubernetes Cluster(s)
The key requirements for your Kubernetes cluster should be that it is reliable, somewhat easy to manage cluster updates on, and provides some of the backing services that generally constitute a functional cluster. The choice is yours, but we provide an unapologetically opinionated recommendation for setting up a production grade Kubernetes cluster.
The Deployment Pipeline
The requirements for a production grade Kubernetes deployment pipeline are that it should be automated, auditable, composable, and rooted in the principles of change management. We strongly subscribe to the idea of “configuration as code” (well, everything “as code,” really) so we suggest setting up a GitOps pipeline.
Securing the Application Cluster
While user experience and security are often in conflict, we believe that thoughtful implementation of a BeyondCorp access model can help to satisfy both. BeyondCorp with Modern On-prem can secure access to any of the services behind an access proxy so that each service can be reached via the public internet without a VPN client. However, this access proxy establishes course-grained access control before connecting to the underlying services that are located on a private network for further authentication and authorization. For accessing our Modern On-prem applications, we detailed the setup we use at Replicated to implement BeyondCorp-style access control system.