A SUSE új megoldással készül, hogy támogassa a memóriában futó adatok védelmét, ami a felhőszolgáltatások terjedésével egyre nagyobb kihívást jelent a vállalatoknak.

Egyre több vállalat vesz igénybe felhőszolgáltatásokat, hiszen ezek segítségével rugalmasabbá, agilisebbé és költséghatékonyabbá teheti működését. A biztonság terén ugyanakkor ezek a szolgáltatások új kihívásokat támasztanak, mivel újabb támadási felületet jelenthetnek. Ezért a cégeknek minden helyzetben és minden pillanatban védeniük kell az adatokat: nemcsak olyankor, amikor az adatközpontban vagy a felhőben tárolják azokat, hanem akkor is, amikor a hálózatban utaznak, vagy amikor a memóriában használják őket. Ez utóbbi különösen nagy kihívást jelent, ugyanis a hagyományos számítástechnikai infrastruktúrák nem biztosítanak megfelelő lehetőséget erre a helyzetre.

További nehezítés, hogy a nyilvános felhőszolgáltatóknál akár több ügyfél alkalmazásai is futhatnak egyszerre ugyanannak a gépnek a memóriájában. Ilyen esetben különösen fontos, hogy szétválasszák az adatokat, és gondoskodjanak a védelmükről. Ezért egyre nagyobb szerephez jut a confidential computing, amellyel egy olyan különleges végrehajtási környezetben végzik a számításokat, amelynek megbízhatóságát tanúsítványok igazolják. A technológia megakadályozza, hogy illetéktelenek érhessék el vagy módosíthassák a használatban lévő adatokat, ám ez az üzleti működés szempontjából kritikus fontosságú folyamatokat és szolgáltatásokat nem érinti.

Ezt a megközelítést a SUSE is több törekvéssel támogatja. Többek között ezért kezdett bele az Adaptive Linux Platform (ALP) fejlesztésbe, melynek célja, hogy új megközelítést nyújtson a vállalati Linux számára a felhőnatív világban – az adatközponttól a felhőig, illetve az edge környezetekig. Az ALP egy alkalmazásközpontú, „könnyűsúlyú”, biztonságos és rugalmas platform, amely hagyományos alkalmazások helyett konténerizált szolgáltatásokat futtat, és elkülöníti azokat a hardverek szintjétől, elősegítve a confidential computing törekvéseket.

A SUSE háromhavonta a megoldás egy új prototípusával jelentkezik, hogy az ügyfelek és a partnerek tesztelhessék az új funkciókat. A legfrissebb változat nemrég jelent meg Piz Bernina néven (a svájci Alpok legmagasabb hegye után). Az új kiadás továbbfejlesztett, biztonságos végrehajtási környezetet biztosít, amely elszigeteli és titkosítja a virtuális gépekben használt adatokat. Az új SUSE ALP megfelelő alapot kínál ahhoz is, hogy a jövőben kiterjesszék a Confidential Virtual Machine (CVM) támogatást, lehetőséget nyújtva a hardvergyártóknak a támogatás kibővítéséhez, hogy a legújabb hardvereket is használni lehessen a confidential computing projektekhez.

Szintén fontos újdonság, hogy a megoldás már integrálható a SUSE konténerbiztonsági megoldásával, a NeuVectorral, amely védelmet kínál a konténerek teljes életciklusára kiterjedően. Ezáltal a szervezetek azonosíthatják a gyanús aktivitásokat, és megakadályozhatják, hogy azok hozzáférjenek az alapot szolgáltató host operációs rendszerhez vagy a konténerizált szolgáltatásokhoz.

Miután telepítették és engedélyezték az ALP rendszeren, a NeuVector automatikusan ellenőrzi a rendszeren futó összes konténert, és azonosítja a potenciális sebezhetőségeket, illetve egyéb fenyegetéseket. Emellett képes megtanulni, hogyan viselkednek a konténerek, és lehetővé teszi a felhasználók számára, hogy további korlátozásokat vezessenek be ezen tanulás alapján, ha szükségesnek látják.

A NeuVector integrációval a SUSE minden eddiginél biztonságosabb szoftverellátási láncot kínálhat, amely kiterjed a forráskód elemzéstől kezdve a tanúsított buildrendszer környezeten, illetve a disztribúciók, a csomagok és a konténerek létrehozásán át egészen a gyanús szolgáltatások és tevékenységek azonosításáig.

A SUSE új megoldásai segítségével a vállalatok még egyszerűbben kihasználhatják a digitális átálláshoz szükséges technológiák, köztük a legújabb hardverek, a felhőszolgáltatások és a konténerek előnyeit.

Mára szinte hagyománnyá vált, hogy a SUSE időről időre valamilyen zenei feldolgozással lepi meg a SUSECon konferencia résztvevőit és az összes érdeklődőt a világ minden táján. Most egy blogposztba, gyűjtöttük össze a műveket, így akár a szilveszteri buliban is megalapozhatjátok a jó hangulatot a népszerű és vicces átiratokkal. Hiszen ilyenkor mindent szabad, minden nyílt  Boldog új évet kívánunk!

Everything is Open Studio Music Video for SUSECon 2014:

What Does the Chameleon Say? (Ylvis – What Does the Fox Say parody):

Uptime Funk – (Uptown Funk parody):

SUSE. Yes Please. (Maroon 5 – Sugar parody):

Code Together – (Come Together parody):

Can’t Stop the SUSE – (Can’t Stop the Feeling parody):

Coding in the Name of – (Rage Against the Machine parody):

Az összes együtt pedig itt található meg egy playlisten:

SUSE Linux, the international technology leader and solutions provider in Open Source operating system software,announced the shipping of SUSE Linux 7.1 for Compaq’s Alpha Server. By porting the latest SUSE distribution to Compaq’s 64-bit technology, SUSE proves itself again as a leading provider of Linux server solutions.SUSE Linux for AlphaServers is available directly from SUSE as well as from bookstores and software retailers at a recommended retail price of $ 49.95.

SUSE Linux for AlphaServers comes with the proven Linux Kernel 2.2.19 as well as the latest Kernel 2.4.4 as a special bonus for technophile users. With more than 1,200 programs included, SUSE Linux for AlphaServers provides a comprehensive array of applications. The system offers professional Linux solutions for virtually any utilization area. Apart from Internet and network tools, SUSE Linux 7.1 for AlphaServers comes with a wide range of database applications, development tools, office and image processing software, and window managers. A user may select among two graphical user interfaces, KDE 2.1 or GNOME 1.2.

SUSE Linux 7.1 for AlphaServers will be delivered on 6 CDs with a 500-page manual.The 60-day installation support, which is included in the purchase price, provides assistance for the installation.

Due to the timing of the recent release of the SUSE Linux 7.2 version, we will not be releasing a version of 7.2 for Alpha as well as for the PowerPC, but focusing the development of these products for the subsequent release of SUSE Linux beyond 7.2

To learn more about the SUSE Products, visit http://shop.suse.com

About Novell
Novell, Inc. is a leading provider of information solutions that deliver secure identity management (Novell® Nsure™), Web application development (Novell exteNd™) and cross-platform networking services (Novell Nterprise™), all supported by strategic consulting and professional services (Novell NgageSM). Active in the open source community with its Ximian and SUSE Linux brands, Novell is firmly committed to open source and offers comprehensive Linux products and services for the enterprise, from the desktop to the server. Novell’s vision of one Net – a world without information boundaries – helps customers realize the value of their information securely and economically. For more information, call Novell’s Customer Response Center at (888) 321-4CRC (4272) or visit http://www.novell.com. Press should visit http://www.novell.com/pressroom.

Novell is a registered trademarks; Nsure, exteNd and Nteprise are trademarks; and Ngage is a service mark of Novell, Inc. in the United States and other countries. SUSE is a registered trademark of SUSE Linux AG. * All third-party trademarks are the property of their respective owners.

Today, SUSE Linux, the international technology leader and solutions provider in Open Source operating system software, announced the release of SUSE Linux 7.0 for Alpha systems. The port of the current SUSE distribution to Compaq 64-Bit-technology, underlines SUSE technical competence as the leading provider of server solutions. In addition to the Alpha platform, SUSE Linux also supports Intel and PowerPC as well as the SPARC and S/390 architectures.

“SUSE Linux with multi-platform support is an ideal uniform server platform for a professional environment,” explained Dirk Hohndel, CTO SUSE Linux AG. “The advantages of SUSE Linux are not limited to comprehensive network capabilities, stability, and flexibility. The possibility of a uniform and rational administration of heterogeneous networks helps minimize the expenditures for development or acquisition of strategic software products. Due to low acquisition costs and reduced long-term administration costs, SUSE Linux operating system contributes considerably to economical operation of large server farms.”

SUSE Linux for Alpha processors, which includes more than 1200 applications on 6 CDs, offers professional Linux solutions for virtually any purpose. In addition to Internet and network tools, SUSE Linux 7.0 for Alpha provides a wide range of database applications, developer tools, office and image processing software, and window managers. The package includes the graphical user interfaces KDE and the current GNOME desktop version.

The installation/configuration tool YaST provides the user with the whole range of configuration and administration functions. ATI and Matrox chipsets now benefit from the improved performance of XFree86 4.01. The configuration tool SaX2 ensures the easy installation and setup of graphics cards. Users now have all boot loaders for Alpha-Linux at their disposal – Milo 2.2, APB and Aboot 0.7a. The compilers for Compaq C, C++, Fortran and the respective math libraries are also new in this package.

The 490-page English manual is a valuable source for comprehensive information on SUSE Linux 7.0 for Alpha. Additionally, 60 days installation support is available. SUSE Linux 7.0 for Alpha can be obtained from SUSE or from software retailers from the beginning of December onwards. The suggested retail price is $49.95.

About Novell
Novell, Inc. is a leading provider of information solutions that deliver secure identity management (Novell® Nsure™), Web application development (Novell exteNd™) and cross-platform networking services (Novell Nterprise™), all supported by strategic consulting and professional services (Novell NgageSM). Active in the open source community with its Ximian and SUSE Linux brands, Novell is firmly committed to open source and offers comprehensive Linux products and services for the enterprise, from the desktop to the server. Novell’s vision of one Net – a world without information boundaries – helps customers realize the value of their information securely and economically. For more information, call Novell’s Customer Response Center at (888) 321-4CRC (4272) or visit http://www.novell.com. Press should visit http://www.novell.com/pressroom.

Novell is a registered trademarks; Nsure, exteNd and Nteprise are trademarks; and Ngage is a service mark of Novell, Inc. in the United States and other countries. SUSE is a registered trademark of SUSE Linux AG. * All third-party trademarks are the property of their respective owners.

Nemrég rendezték meg a SUSE éves konferenciáját, amelynek előadásai már visszanézhetők. Tekintsen bele a legújabb technológiai trendekről és nyílt forráskódú fejlesztésekről szóló prezentációkba.

Június 20. és 22. között tartották a SUSECON rendezvényt Münchenben. A SUSE konferenciája minden évben az aktuális üzleti kihívásokat és az ezek leküzdésében segítő informatikai megoldásokat mutatja be az open source közösség, az ügyfelek és a partnerek számára.

A SUSE szakértői számos fontos újdonságot jelentettek be és ismertettek az eseményen.

Megjelent többek között a cég zászlóshajójának számító nagyvállalati Linux-platform legújabb verziója, a SUSE Linux Enterprise 15 SP5, amelynek fejlesztésekor kifejezetten nagy hangsúlyt fektettek a mesterséges intelligencia és a gépi tanulás feladataihoz elengedhetetlen nagy teljesítményű számítástechnikai képességekre. Megérkezett továbbá a platform SAP-alkalmazásokhoz optimalizált változata is. A SLE 15 SP5 for SAP Applications tovább javítja az SAP-rendszerek magas rendelkezésre állását, és gyorsabb telepítést tesz lehetővé a továbbfejlesztett automatizálás és a beépített biztonsági funkciókat tartalmazó eszközök révén.

Új változattal jelentkezett a SUSE Manager rendszerfelügyeleti eszköz is, amely már több mint 15 különböző Linux-disztribúciót támogat, köztük a SUSE rendszereket, valamint az összes RHEL 9 változatot, a Rocky Linuxot, az Alma Linuxot és a RHEL 9-et. A SUSE emellett a bemutatta a SUSE Adaptable Linux Platform (ALP) rendszert is, amely a modern felhőkörnyezetekben is meghonosítja a nagyvállalati Linuxot, moduláris Linuxként futtatva a konténeres és virtualizált szolgáltatásokat.

Az aktuális igényeknek megfelelően a SUSE arra is figyelmet fordít, hogy támogassa a vállalatokat a konténerek hatékony és biztonságos üzemeltetésében. Ennek jegyében hasznos újdonságokat tartalmaz a Longhorn tárolási platform, a felhőnatív, hiperkonvergens infrastruktúrákhoz készült Harvester megoldás, és a SUSE NeuVector konténerbiztonsági eszköz is.

Aki további részletekre kíváncsi az újdonságokkal kapcsolatban, az elmélyülhet a hivatalos közleményben, illetve a Computerworld újságírójának alapos és átfogó beszámolójában is. Emellett érdemes ellátogatni a rendezvény oldalára is, ugyanis ingyenes regisztrációt követően minden előadás visszanézhető.

Ez összesen több mint 100 különféle prezentációt jelent, amelyek között mindenki számára akad hasznos tartalom érdeklődési körtől és szakmai szinttől függetlenül. A legújabb trendekről szóló, üzleti fókuszú gondolatébresztő előadások éppúgy megtalálhatók köztük, mint mély technikai demók a legújabb innovációkról kezdő, középhaladó és haladó szintek szerint csoportosítva.

Akit az üzleti megközelítés és a kevés technikai részlet érdekel, az olyan témákban kaphat átfogó képet, mint például az üzleti működés szempontjából kritikus fontosságú Linux-rendszerek legújabb generációja vagy a biztonságos SAP-rendszerek alapjai. A feketeöves IT-prókat pedig olyan csemegék várják az előadások között, mint a „Hogyan lehet meghackelni a Kubernetest, és hogyan lehet védekezni a feltörés ellen?”, illetve a „A SUSE Manager feladatok automatizálása ITSM-eszközökkel”. De külön előadást szenteltek például annak is, hogy milyen képességekkel és megoldásokkal segíti a SUSE az edge rendszerek működtetését most és a jövőben.

Ha még nem tette volna meg, regisztráljon a rendezvény oldalára, és nézze meg, önnek milyen területeken tud hasznos újdonságokat mutatni a SUSE.

Ui: Természetesen idén is készültek nagyszerű feldolgozások. Ha könnyedebb formában szeretné megtudni a legfontosabb üzeneteket a friss megoldásokról és bejelentésekről, akkor „dalban mondjuk el”. Jó szórakozást! 🙂

K3s and Rancher Kubernetes Engine (RKE2) are two Kubernetes distributions from the SUSE Rancher container platform. Either project can be used to run a production-ready cluster; however, they target different use cases and consequently possess unique characteristics.

This article will explain the similarities and differences between the projects. You’ll learn when it makes sense to use RKE2 instead of K3s and vice versa. Selecting the right choice is important because it affects the security and compliance of the containerized workloads you deploy.

K3s and RKE2

K3s provides a production-ready Kubernetes cluster from a single binary that weighs in at under 60MB. Because K3s is so lightweight, it’s a great option for running Kubernetes at the edge on IoT devices, low-power servers and your developer workstations.

Meanwhile, RKE2 is an alternative project that also runs a production-ready cluster. It offers similar simplicity to K3s while adding additional security and conformance layers, including Federal Information Processing Standard (FIPS) 140-2 compliance for use in the U.S. federal government and DISA STIG compliance.

RKE2 has evolved from the original RKE project. It’s also known as RKE Government, reflecting its suitability for the most demanding sectors. It’s not just government agencies that can benefit, though — the distribution is ideal for all organizations that prioritize security and compliance, so it continues to be primarily marketed as RKE2.

Similarities between K3s and RKE2

K3s and RKE2 are both lightweight Cloud Native Computing Foundation (CNCF)-certified Kubernetes distributions that Rancher fully supports. Although they diverge in their target use cases, the two platforms have several intentional similarities in how they’re launched and operated. Both can be deployed with Rancher Manager, and they each run your containers using the industry-standard containerd runtime.

Usability

K3s and RKE2 each offer good usability with a quick setup experience.

Starting a K3s cluster on a new host can be achieved with one command and around 30 seconds of waiting:

$ curl -sfL https://get.k3s.io | sudo sh -

The service is registered and started for you, so you can immediately run kubectl commands to interact with your cluster:

$ k3s kubectl get pods

RKE2 doesn’t fare much worse. A similarly straightforward installation script is available to download its binary:

$ curl -sfL https://get.rke2.io | sudo sh -

RKE2 doesn’t start its service by default. Run the following commands to enable and start RKE2 in server (control plane) mode:

$ sudo systemctl enable rke2-server.service
$ sudo systemctl start rke2-server.service

You can find the bundled kubectl binary at /var/lib/rancher/rke2/bin. It’s not added to your PATH by default; a kubeconfig file is deposited to /etc/rancher/rke2/rke2.yaml:

$ export KUBECONFIG=/etc/rancher/rke2/rke2.yaml
$ /var/lib/rancher/rke2/bin/kubectl get pods

Ease of operation

In addition to their usability, K3s and RKE2 are simple to operate. You can upgrade clusters created with either project by repeating the installation script on each node:

# K3s
$ curl -sfL https://get.k3s.io | sh -

# RKE2
$ curl -sfL https://get.rke2.io | sh -

You should repeat any flags you supplied to the original installation command.

Automated upgrades are supported using Rancher’s system-upgrade-controller. After installing the controller, you can declaratively create Plan objects that describe how to migrate the cluster to a new version. Plan is a custom resource definition (CRD) provided by the controller.

Backing up and restoring data is another common Kubernetes challenge. K3s and RKE2 also mirror each other in this field. Snapshots are automatically written and retained for a configurable period. You can easily restore a cluster from a snapshot by running the following command:

# K3s
$ k3s server \
    --cluster-reset \
    --cluster-reset-restore-path=/var/lib/rancher/k3s/server/db/etcd-old-<BACKUP_DATE>

# RKE2
$ rke2 server \
    --cluster-reset \
    --cluster-reset-restore-path=/var/lib/rancher/rke2/server/db/etcd-old-<BACKUP_DATE>

Deployment model

K3s and RKE2 share their single-binary deployment model. They bundle all their dependencies into one download, allowing you to deploy a functioning cluster with minimal Kubernetes experience.

The projects also support air-gapped environments to accommodate critical machines that are physically separated from your network. Air-gapped images are provided in the release artifacts. Once you’ve transferred the images to your machine, running the regular installation script will bootstrap your cluster.

High availability and multiple nodes

K3s and RKE2 are designed to run in production. K3s is often used in the development, too, having gained a reputation as an ideal single-node cluster. It has robust multi-node management and is capable of supporting fleets of IoT devices.

Both projects can run the control plane with high availability, too. You can distribute replicas of control plane components over several server nodes and use external data stores instead of the embedded ones.

Differences between K3s and RKE2

K3s and RKE2 both offer single-binary Kubernetes, high availability and easy backups, with many commands interchangeable between the two. However, some key differences affect where and when they should be used. It’s these characteristics that justify the distributions existing as two independent projects.

RKE2 is closer to upstream Kubernetes

K3s is CNCF-certified, but it deviates from upstream Kubernetes in a few ways. It uses SQLite instead of etcd as its default data store, although an embedded etcd instance is available as an option in modern releases. K3s also bundles additional utilities, such as the Traefik Ingress controller.

RKE2 sticks closer to standard Kubernetes, promoting conformance as one of its main features. This gives you confidence that workloads developed for other distributions will run reliably in RKE2. It reduces the risk of inconvenient gotchas that can occur when K3s steps out of alignment with upstream Kubernetes. RKE2 automatically uses etcd for data storage and omits nonstandard components included in K3s.

RKE2 uses embedded etcd

The standard SQLite database in K3s is beneficial for compactness and can optimize performance in small clusters. In contrast, RKE2’s default use of etcd creates a more conformant experience, allowing you to integrate directly with other Kubernetes tools that expect an etcd data store.

While K3s can be configured with etcd, it’s an option you need to turn on. RKE2 is designed around it, which reduces the risk of misconfiguration and subpar performance.

K3s also supports MySQL and PostgreSQL as alternative storage solutions. These let you manage your Kubernetes data using your existing tooling for relational databases, such as backups and maintenance operations. RKE2 only works with etcd, offering no support for SQL-based storage.

RKE2 is more security-minded

RKE2 has a much stronger focus on security. Whereas edge operation is K3s’s specialism, RKE2 prioritizes security as its greatest strength.

Hardened against the CIS benchmark

The distribution comes configured for compatibility with the CIS Kubernetes Hardening Benchmark v1.23 (v1.6 in RKE2 v1.25 and earlier). The defaults that RKE2 applies allow your clusters to reach the standard with minimal manual work.

You’re still responsible for tightening the OS-level controls on your nodes. This includes applying appropriate kernel parameters and ensuring the etcd data directory is correctly protected.

You can enforce that a safe configuration is required by starting RKE2 with the profile flag set to cis-1.23. RKE2 will then exit with a fatal error if the operating system hasn’t been suitably hardened.

Beyond configuring the OS, you must also set up suitable network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies) and [Pod security admission rules] to secure your cluster’s workloads. The security admission controller can be configured to use profiles which meet the CIS benchmark. This will prevent non-compliant Pods from being deployed to your cluster.

Regularly scanned for threats

The safety of the RKE2 distribution is maintained within its build pipeline. Components are regularly scanned for new common vulnerabilities and exposures (CVEs) using the Trivy container vulnerability tool. This provides confidence that RKE2 itself isn’t harboring threats that could let attackers into your environment.

FIPS 140-2 compliant

K3s lacks any formal security accreditations. RKE2 meets the FIPS 140-2 standard that the U.S. government uses to approve cryptographic modules.

The project’s Go code is compiled using FIPS-validated crypto modules instead of the versions in the Go standard library. Each of the distribution’s components, from the Kubernetes API server through to kubelet and the bundled kubectl binary, are compiled with the FIPS-compatible compiler.

The FIPS mandate means RKE2 can be deployed in government environments and other contexts that mandate verifiable cryptographic performance. The entire RKE2 stack is compliant when you use the built-in components, such as the containerd runtime and etcd data store.

When to use K3s

K3s should be your preferred solution when you’re seeking a performant Kubernetes distribution to run on the edge. It’s also a good choice for single-node development clusters as well as ephemeral environments used in your CI pipelines and other build tools.

This distribution makes the most sense in situations where your primary objective is deploying Kubernetes with all dependencies from a single binary. It’s lightweight, quick to start and easy to manage, so you can focus on writing and testing your application.

When to use RKE2

You should use RKE2 whenever security is critical, such as in government services and other highly regulated industries, including finance and healthcare. As previously stated, the complete RKE2 distribution is FIPS 140-2 compliant and comes hardened with the CIS Kubernetes Benchmark. It’s also the only DISA STIG-certified Kubernetes distribution, meaning it’s approved for use in the most stringent U.S. government environments, including the Department of Defense.

RKE2 is fully certified and tightly aligned with upstream Kubernetes. It omits the K3s components that aren’t standard Kubernetes or that are unstable alpha features. This increases the probability that your deployments will be interoperable across different environments. It also reduces the risk of nonconformance that can occur through oversight when you’re manually hardening Kubernetes clusters.

Near edge computing is another primary use case for RKE2 over K3s. RKE2 ships with support for multiple CNI networking plugins, including Cilium, Calico, and Multus. Multus allows pods to have multiple network interfaces attached, making it ideal for use cases such as telco distribution centers and factories with several different production facilities. In these situations, it’s critical to have robust networking support with different network adapters. K3s bundles Flannel as its built-in CNI plugin; you can install a different provider, but all configuration has to be performed manually. RKE2’s default distribution provides integrated options for common networking solutions.

Conclusion

K3s and RKE2 are two popular Kubernetes distributions that overlap each other in several ways. They both offer a simple deployment experience, frictionless long-term maintenance, and high performance and compatibility.

While designed for tiny and far-edge use cases, K3s are not limited to these scenarios. It’s also widely used for development, in labs, or in resource-constrained environments. However, K3s is not focused on security, so you’ll need to secure and enforce your clusters.

RKE2 takes the usability ethos from K3s and applies it to a fully conformant distribution. It’s tailored for security, close alignment with upstream Kubernetes, and compliance in regulated environments such as government agencies. RKE2 is suitable for both data centers and near-edge situations as it offers built-in support for advanced networking plugins, including Multus.

Which you should choose depends on where your cluster will run and the workloads you’ll deploy. You should use RKE2 if you want a hardened distribution for security-critical workloads or if you need FIPS 140-2 compliance. It will help you establish and maintain a healthy security baseline. K3s remain an actively supported alternative for less sensitive situations and edge workloads. It’s a batteries-included project for when you want to focus on your apps instead of the environment that runs them.

Both distributions can be managed by Rancher and integrated with your DevOps toolbox. You can use solutions like Fleet to deploy applications at scale with GitOps strategies, then head to the Rancher dashboard to monitor your workloads.

Introduction

Continuous Delivery (CD) frameworks for Kubernetes, like the one created by Rancher with Fleet, are quite robust and easy to implement. Still, there are some rough edges you should pay attention to. Jobs deployment is one of those scenarios where things may not be straightforward, so you may need to stop and think about the best way to process them.

We’ll explain here the challenges you may face and will give some tips about how to overcome them.

While this blog is based on Fleet’s CD implementation, most of what’s discussed here also applies to other tools like ArgoCD or Flux.

The problem

Let’s start with a small recap about how Kubernetes objects work.

There are some elements in Kubernetes objects that are immutable. That means that changes to the immutable fields are not allowed once one of those objects is created.

A Kubernetes Job is a good example as the template field, where the actual code of the Job is defined, is immutable. Once created, the code can’t be changed. If we make any changes, we’ll get an error during the deployment.
This is how the error looks when we try to update the Job:

The Job "update-job" is invalid: spec.template: Invalid value: 
core.PodTemplateSpec{ObjectMeta:v1.ObjectMeta{Name:"", GenerateName:"", Namespace:"", SelfLink:"", 
UID:"", ResourceVersion:"", 
.... 
: field is immutable

And this is how the error is shown on Fleet’s UI:

When we do deployments manually and update code within Jobs, we can delete the previous Job manually and relaunch our deployment. However, when using Continuous Delivery (CD), things should work without manual intervention. It’s critical to find a way for the CD process to run without errors and update Jobs in a way that doesn’t need manual intervention.

Thus we have reached the point where we have a new version of a Job code that needs to be deployed, and the old Job should not stop us from doing that in an automated way.

Things to consider before configuring your CD process

Our first recommendation, even if not directly related to the Fleet or Jobs update problem, is always to try using Helm to distribute applications.

Helm installation packages (called Charts) are easy to build. You can quickly build a Chart by putting together all your Kubernetes deployment files in a folder called templates plus some metadata (name, version, etc.) defined in a file called Chart.yaml.

Using Helm to distribute applications with CD tools like Fleet and ArgoCD offers some additional features that can be useful when dealing with Job updates.

Second, In terms of how Jobs are implemented and their internal logic behaves, they must be designed to be idempotent. Jobs are meant to be run just once, and if our CD process manages to update and recreate them on each run, we need to be sure that relaunching them doesn’t break anything.

Idempotency is an absolute must while designing Kubernetes CronJobs, but all those best practices should also be applied here to avoid undesired side effects.

Solutions

Solution 1: Let Jobs self-destroy after execution

The process is well described in Kubernetes documentation:

“A way to clean up finished Jobs automatically is to use a TTL mechanism provided by a TTL controller for finished resources, by specifying the spec.ttlSecondsAfterFinished field of the Job”

Example:

apiVersion: batch/v1
kind: TestJob
metadata:
  name: job-with-ttlsecondsafterfinished
spec:
  ttlSecondsAfterFinished: 5
  template:
    spec:
...

When we add ttlSecondsAfterFinished to the spec, the TTL controller will delete the Job once it finishes. If the field is not present or the value is empty, the Job won’t be deleted, following the traditional behavior. A value of 0 will fire the deletion just after it finishes its execution. An integer value greater than 0 will define how many seconds will pass after the execution before the Job is deleted. This new feature has been stable since Kubernetes 1.23.

While this seems a pretty elegant way to clean finished jobs (future runs won’t complain about the update of immutable resources), it creates some problems for the CD tools.

The entire CD concepts rely on the fact that our external repos holding our application definition are the source of truth. That means that CD tools are constantly monitoring our deployment and notifying us about changes.

As a result, Fleet detects a change when the Job is deleted, so the deployment is marked as “Modified”:

If we look at the details, we can see how Fleet detected that the Job is missing:

The change can also be seen in the corresponding Fleet Bundle status:

...
status:
  conditions:
  - lastUpdateTime: "2022-10-02T19:39:09Z"
    message: Modified(2) [Cluster fleet-default/c-ntztj]; job.batch fleet-job-with-ttlsecondsafterfinished/job-with-ttlsecondsafterfinished
      missing
    status: "False"
    type: Ready
  - lastUpdateTime: "2022-10-02T19:39:10Z"
    status: "True"
    type: Processed
  display:
    readyClusters: 0/2
    state: Modified
  maxNew: 50
  maxUnavailable: 2
  maxUnavailablePartitions: 0
  observedGeneration: 1
...

This solution is really easy to implement, with the only drawback of having repositories marked as Modified, which may be confusing over time.

Solution 2: Use a different Job name on each deployment

Here is when Helm comes to our help.

Using Helm’s processing, we can easily generate a random name for the Job each time Fleet performs an update. The old Job will also be removed as it’s no longer in our Git repository.

apiVersion: batch/v1
kind: Job
metadata:
  name: job-with-random-name-{{ randAlphaNum 8 | lower }}
  labels:
    realname: job-with-random-name
spec:
  template:
    spec:
      restartPolicy: Never
...

Summary

We hope what we have shared here helps to understand better how to manage Jobs in CD scenarios and how to deal with changes on immutable objects.

The code examples used in this blog are available on our GitHub repository: https://github.com/SUSE-Technical-Marketing/fleet-job-deployment-examples

If you have other scenarios that you’d want us to cover, we’d love to hear them and discuss ideas that can help improve Fleet in the future.

Please join us at the Rancher’s community Slack channel for Fleet and Continuous Delivery or at the CNCF official Slack Channel for Rancher.