はじめに

このブログポストでは、Rancher 2.8の新機能の1つであり、Cluster API（CAPI）を使用したクラスタのデプロイを助ける、Rancher Turtlesの使い方を紹介します。

これは、Rancherを使ってKubernetesクラスタをデプロイするための既存の方法に追加されたもので、現在はテスト版の状態ですが、将来のバージョンで完全にサポートされるようになる見込みです。

現在、Rancher TurtlesとRancherのGitOpsツールであるFleetの助けを借りて、CAPIをサポートするプラットフォーム上のクラスタのライフサイクル管理を簡単に自動化することができます。

プロバイダーがCAPIをサポートしている場合、プラットフォーム固有のAPIを使用することなく、共通のAPIを使用して、クラスタに必要なリソースのプロビジョニングと管理をコントロールできます。CAPIを使えば、あまりカスタマイズすることなくKubernetesクラスタをハイブリッド環境で利用できるため、プロバイダを変更する必要がある場合も簡単に対応ができ、作業がよりスムーズになります。

CAPIとは？

CAPIとはCluster API（クラスタAPI）の略で、「複数のKubernetesクラスタのプロビジョニング、アップグレード、運用を簡素化するための宣言型APIとツールの提供に焦点を当てたKubernetesのサブプロジェクト」です。(出典：https://cluster-api.sigs.k8s.io/）。

これは、Kubernetesクラスタのライフサイクル管理を支援するもので、クラスタがオンプレミスにデプロイされているかクラウドにデプロイされているかに関係なく、プラットフォームにとらわれず、統一したクラスタ操作を提供することができます。

Kubernetesの実行に必要ないクラスタ下のインフラのライフサイクルを管理したり、異なるインフラプロバイダーにまたがるクラスタを管理したり、作成やアップグレード以外にクラスタノードを設定したりすることは意図されていません。

より詳細な情報については、The Cluster API Book（特に導入と概念の部分）を確認することをお勧めします。

Rancher Turtlesのセットアップ（オプション）

冒頭で述べたように、Rancher Turtlesは異なるCAPIプロバイダと統合することを可能にする技術であり、古いバージョンのRancherにはデフォルトで付属していませんが、古いクラスタで試したい場合は、以下の方法で行うことができます。

Requirements: Rancher 2.7以上

コンソールから、組み込みCAPI機能を無効にします：

kubectl apply -f feature.yaml

---
apiVersion: management.cattle.io/v3
kind: Feature
metadata:
name: embedded-cluster-api
spec:
value: false
...

kubectl delete mutatingwebhookconfiguration.admissionregistration.k8s.io mutating-webhook-configuration

kubectl delete validatingwebjookconfigurations.admissionregistration.k8s.io validating-webhook-configuration

Rancher Turtlesリポジトリを追加する

管理クラスタに切り替えて、Rancher Turtlesのアプリケーションリポジトリを追加します：

helm repo add turtles https://rancher-sandbox.github.io/rancher-turtles

Rancher Turtlesをインストールする

helm -n rancher-turtles-system install rancher-turtles --create-namespace --set cluster-api-operator.cert-manager.enabled=false

現在、Cert ManagerはRancher Turtlesの要件であることに注意してください。この例ではインストールされていることを前提としていますが、オペレータに自動的にインストールさせたい場合は、cluster-api-operator.cert-manager.enabled=true（デフォルトオプション）に設定してください。

CAPIプロバイダーを追加インストールする

kubectl apply -f capd-provider.yml

---
apiVersion: v1
kind: Namespace
metadata:
name: capd-system
...
---
apiVersion: operator.cluster.x-k8s.io/v1alpha1
kind: InfrastructureProvider
metadata:
name: docker
namespace: capd-system
spec:
secretName: capi-env-variables
secretNamespace: capi-system
...

この後、GitOpsの原則に従って新しいクラスタをプロビジョニングする準備が整いました。

Fleetを使ったGitOpsに続く新しいクラスタのプロビジョニング！

CAPIを使うことで、新しいAPIを学んだり、それぞれのAPIに対して多くのカスタマイズを施したりすることなく、異なるプラットフォームへのクラスタのデプロイが簡単になることをお話ししました。今回は、このCAPIの定義をFleetで使って、GitOpsの原則に従ってKubernetesクラスタを管理する方法をご紹介します。

プロセス：

Fleetでリポジトリが設定された後、または後で誰かがリポジトリに変更を加えたとき。

Fleetはこれらの変更をチェックし、CAPIクラスタ定義が見つかると、FleetはそれをRancher Turtlesに渡します。

その後、Turtlesはファイルを処理し、指定されたCAPIプロバイダーに処理依頼を行います：

新機能とFleetについて話してますが、Fleet新バージョンの特にエキサイティングな機能をご紹介したいと思います：
ドリフトリコンシリエーション
これによって、リソースがGITリポジトリで定義されたものと一致しない場合、それを上書きして同じ状態にするようFleetに指示できるようになりました。詳細については新しいブログ記事を作成する予定です。

Fleet の設定

まず、gitリポジトリをFleetに追加します。

実際のデプロイはインフラストラクチャプロバイダが行います。

kubectl apply -f myclusters-repo.yaml

---
apiVersion: fleet.cattle.io/v1alpha1
kind: GitRepo
metadata:
name: clusters
namespace: fleet-local
spec:
repo:
https://github.com/rancher-sandbox/rancher-turtles-fleet-example.git
branch: main
paths:
- clusters
...

これで、Fleetがリポジトリの “main “ブランチの”/clusters “パスの配下の変更を検出すると、定義した変更を自動的に環境へ適用します。

これは単なる例であることに注意してください。さらに複雑な条件を取り入れるために、このリポジトリ定義をカスタマイズすることができますが、コンセプトは同じです。

クラスタ定義の作成とプルリクエストの承認が、新しいクラスタ作成の準備に必要な唯一のステップです。

おまけ： Fleet-localネームスペースでデプロイしていることにお気づきでしょうか？もし興味があり、もっと知りたいのであれば、このリンクをチェックしてください。

Rancherの設定：

これでRancherにアクセスして、CRDがデプロイされているネームスペース内のすべてのクラスタを自動インポートしたいと指示することができます。
そのためには、以下のコマンドを実行してrancher-auto-import機能を有効にします。

kubectl label namespace <mynamespace> cluster-api.cattle.io/rancher-auto-import=true

この例では、クラスタ定義がネームスペース「default」にあることにご注意してください。

しばらくすると、Rancherの “Cluster Management “セクションに新しいクラスタがインポートされ、管理している他のクラスタと同じように表示されるのがわかります。

CAPIを使って新しくデプロイされたクラスタを調べる

クラスタの右側にある “Explore “ボタンをクリックすると、Rancherで他のクラスタと同じように管理できます。

kubeconfigをローカルにコピーし、便宜上、以下のコマンドを実行してkubectlやその他のツールで使用するデフォルトとして設定します：

export KUBECONFIG=<my-new-cluster-kubeconfig-file>

あるいは、選択したツールのコマンドラインで指定します。

例えば、コマンドを実行して動作を確認することができます：

kubectl get pods -A -w --insecure-skip-tls-verify

新しいクラスタ上で動いているポッドが表示されるはずです。

まとめ

コマンドラインから操作を行う方法を見てきましたが、将来的にRancherはWeb UIから直接Turtleを管理するためのUI拡張機能を組み込む予定です！

Rancher Primeの詳細と、コンテナ技術であなたのビジネスをさらに成長させ、より安全で俊敏にするための支援方法については、当社のウェブサイトをご覧ください。

Rancherについてさらに詳しくお知りになりたい方は、無料のホワイトペーパー「Why rancher?」をダウンロードいただくか、Rancher Rodeo、Rancher Academyにご参加ください。

👉SUSEの製品やサービスに関する詳細については、お気軽にお問い合わせください。

25年以上にわたり、オープンソースは私たちの世界に革命をもたらしてきました。Linuxの成長から仮想化、クラウドへの移行など、テクノロジーにおける主要な進歩の全てとは言わないまでも、その多くはオープンソースの革新が原動力となっています。私にとって、その理由は明らかです。
開発結果が後で還元され、全員が利益を得ることができる枠組みの下で、できるだけ多くの人が最善策を見つけるために努力することを良いことと思いませんか？そして問題が見つかれば、皆で解決する。
その根底にあるのは、ソフトウェアは「誰でも自由にアクセスし、使用し、変更し、（修正された形でも修正されていない形でも）共有できる」べきであるという考え方です。
ベンダーから提供されたソースを顧客が共有することを制限することは、ソフトウェアを（１ユーザーとして）共同で分析し、監査する能力を制限します。

SUSEは、この見解を100%支持します。プロプライエタリになることが、オープンソース企業間の競争の根拠になってはなりません。私たちは皆、オープンソースコミュニティに貢献しています。同じように、私たちは皆、オープンソースコミュニティから恩恵を受けています。オープンソースは、私たちの総和よりも大きなものなのです。

SUSEでは、オープンソースコミュニティと積極的に協力し、オープンソースプロジェクトからエンタープライズグレードの製品を構築しています。当社の顧客は、ソフトウェアに対価を支払うのではなく、長期にわたる24時間365日のサポート、セキュリティ、認定スタック、そしてオープンソースコミュニティの代表として、ビジネスクリティカルな環境でそれを実行する能力に対価を支払うのです。私たちは、お客様にとって最も信頼性が高く、費用対効果に優れたベンダーであることを競うのです。

ソースコード入手の制限により、競争環境は誤った方向にシフトすると考えています。

最優先事項は、お客様に選択肢を提供し続けることです。SUSEは本日、RHELコードベースのハードフォークを構築し、サポートし、コミュニティに貢献すると発表しました。これは我々が得意とすることであり、顧客に長期的な互換性と選択肢を提供することになります。

本取り組みをわかりやすくご説明いたします：

携帯電話のユーザーであれば、電話番号を保持したまま電話会社のプロバイダを変更できる機能を求めるでしょう。

同様に、Enterprise Linuxのユーザーであれば、既存のLinuxを維持したままSUSEに乗り換えることができます。SUSEは、オープンソースソフトウェアのユーザに対して、顧客にとって重要な点を妥協することなく、高い競争力で企業価値を提供するエキスパートです。

SUSEは、ユニークな立場にあります。SUSEには、30年以上にわたってLinuxに貢献してきたエンジニアリングの専門知識があり、ミッションクリティカルなワークロードに対応できる体制を整えています。当社のチームは、混在環境のサポートに豊富な経験を有しています。昨年は、CentOSとRHELのサポートを必要とするお客様のために、SUSE Liberty Linuxを発表しました。さらに、SUSE Managerは、さまざまなLinuxディストリビューションを効率的に管理できることで長年にわたって定評があり、ユーザーに柔軟性と選択肢を提供するという当社の取り組みを示しています。SUSEは、この作業を共有するというコミットメントを堅持しています。私たちは、皆様がソースコードに自由かつオープンにアクセスできるようにし、プロジェクトが制限されることは決してありません。

もう1点付け加えたいと思います。SUSEが、openSUSE Linuxディストリビューションだけでなく、SUSE Linux Enterprise（SLE）およびAdaptable Linux Platform（ALP）ソリューションにも引き続き全面的にコミットしていることは言うまでもありません。私たちは、企業やコミュニティが、混在した環境でも自由にイノベーションを起こせるようにしたいと考えています。

私たちと同じように、選択肢の実現にワクワクしている方は、ぜひご参加ください。
皆様からのご連絡をお待ちしております： Choice@SUSE.com

SUSEは皆様に選択肢を提供します！

DP

Red Hat社は先週、ソースコードへのアクセスポリシーを大幅に変更しました。ベンダー、開発者、ユーザーに対する影響は大きく、この動きはオープンソースコミュニティに懸念をもたらしました。私は、この決定にできる限り焦点を当て、コミュニティ全般、特にSUSEの顧客とパートナーにご安心いただきたいと思います。

何が起きたのか？

Red Hatは、Red Hat Enterprise Linux（RHEL）のソースコードへのパブリックアクセスを削除することを決定しました。これはソースコードアクセスポリシーの大きな変更であり、この決定はオープンソースコミュニティに大きな懸念を引き起こしました。これは当然の懸念です。RHELの存在は、SUSEをはじめとするさまざまな貢献者によって開発されたLinuxカーネルを含む、多くのアップストリームプロジェクトの協力に負うところが大きいのです。共に革新することこそが、私どものコアにあるものです。私たちは皆、個々の力を合わせた以上のものを築くために、努力しています。私たちは皆、相互に依存しているのです。

オープンソースの価値を守る

SUSEでは、オープンソースの原則とコラボレーションの力を大切にしています。オープンソースの状況の変化は、ダイナミクスを変える可能性はありますが、ソフトウェアへのアクセス、変更、配布の自由は、すべての人に開かれたままであるべきだと固く信じています。顧客満足度、安定性、信頼性へのコミットメントは揺るぎません。私たちは、堅牢なサポートインフラへの投資を継続し、タイムリーなアップデートを提供し、コミュニティユーザーとお客様にクラス最高のユーザーエクスペリエンスを提供します。

SUSE Liberty Linuxのお客様への取り組み

SUSEは、CentOSやRHELを含め、種々のディストリビューションの混在環境の運用および管理を行う多くの企業のお客様を支援しています。このようなお客様のためのソリューションがSUSE Liberty Linuxです。弊社は、SUSE Liberty Linuxのシームレスなエクスペリエンスを提供することに引き続き全力を尽くしており、お客様に安心していただきたいと考えています。Red Hatの決定がそれを変えることはありません。私たちは、オープンソースコミュニティのパートナーとの協力を継続し、数十年にわたる専門知識を活用して、今後もRed Hatのバイナリ互換アップデートとセキュリティ修正を提供していきます。

今後の展望

SUSEはまた、オープンソースのイノベーションは、コードの入手性ににとどまらず、コラボレーションによって促進されることも認識しています。SUSEは、業界の専門家、開発者、パートナーとの積極的な関わりを通じて、Adaptable Linux PlatformやSUSE Linux Enterpriseスイートなど、openSUSEコミュニティを中心とした活気あるエコシステムの育成に引き続き取り組んでいきます。私たちは、オープンソースムーブメントを強化し、すべてのステークホルダーに豊かな未来を約束します。

真にオープンで協力的であり続けるために、オープンソースコミュニティとの既存の協力関係をどのように強化するつもりであるかについては、近日中に詳細をお知らせします。コミュニティとの協力関係の強化こそが、最善の道であり、唯一の道なのです。

K3s and Rancher Kubernetes Engine (RKE2) are two Kubernetes distributions from the SUSE Rancher container platform. Either project can be used to run a production-ready cluster; however, they target different use cases and consequently possess unique characteristics.

This article will explain the similarities and differences between the projects. You’ll learn when it makes sense to use RKE2 instead of K3s and vice versa. Selecting the right choice is important because it affects the security and compliance of the containerized workloads you deploy.

K3s and RKE2

K3s provides a production-ready Kubernetes cluster from a single binary that weighs in at under 60MB. Because K3s is so lightweight, it’s a great option for running Kubernetes at the edge on IoT devices, low-power servers and your developer workstations.

Meanwhile, RKE2 is an alternative project that also runs a production-ready cluster. It offers similar simplicity to K3s while adding additional security and conformance layers, including Federal Information Processing Standard (FIPS) 140-2 compliance for use in the U.S. federal government and DISA STIG compliance.

RKE2 has evolved from the original RKE project. It’s also known as RKE Government, reflecting its suitability for the most demanding sectors. It’s not just government agencies that can benefit, though — the distribution is ideal for all organizations that prioritize security and compliance, so it continues to be primarily marketed as RKE2.

Similarities between K3s and RKE2

K3s and RKE2 are both lightweight Cloud Native Computing Foundation (CNCF)-certified Kubernetes distributions that Rancher fully supports. Although they diverge in their target use cases, the two platforms have several intentional similarities in how they’re launched and operated. Both can be deployed with Rancher Manager, and they each run your containers using the industry-standard containerd runtime.

Usability

K3s and RKE2 each offer good usability with a quick setup experience.

Starting a K3s cluster on a new host can be achieved with one command and around 30 seconds of waiting:

$ curl -sfL https://get.k3s.io | sudo sh -

The service is registered and started for you, so you can immediately run kubectl commands to interact with your cluster:

$ k3s kubectl get pods

RKE2 doesn’t fare much worse. A similarly straightforward installation script is available to download its binary:

$ curl -sfL https://get.rke2.io | sudo sh -

RKE2 doesn’t start its service by default. Run the following commands to enable and start RKE2 in server (control plane) mode:

$ sudo systemctl enable rke2-server.service
$ sudo systemctl start rke2-server.service

You can find the bundled kubectl binary at /var/lib/rancher/rke2/bin. It’s not added to your PATH by default; a kubeconfig file is deposited to /etc/rancher/rke2/rke2.yaml:

$ export KUBECONFIG=/etc/rancher/rke2/rke2.yaml
$ /var/lib/rancher/rke2/bin/kubectl get pods

Ease of operation

In addition to their usability, K3s and RKE2 are simple to operate. You can upgrade clusters created with either project by repeating the installation script on each node:

# K3s
$ curl -sfL https://get.k3s.io | sh -

# RKE2
$ curl -sfL https://get.rke2.io | sh -

You should repeat any flags you supplied to the original installation command.

Automated upgrades are supported using Rancher’s system-upgrade-controller. After installing the controller, you can declaratively create Plan objects that describe how to migrate the cluster to a new version. Plan is a custom resource definition (CRD) provided by the controller.

Backing up and restoring data is another common Kubernetes challenge. K3s and RKE2 also mirror each other in this field. Snapshots are automatically written and retained for a configurable period. You can easily restore a cluster from a snapshot by running the following command:

# K3s
$ k3s server \
    --cluster-reset \
    --cluster-reset-restore-path=/var/lib/rancher/k3s/server/db/etcd-old-<BACKUP_DATE>

# RKE2
$ rke2 server \
    --cluster-reset \
    --cluster-reset-restore-path=/var/lib/rancher/rke2/server/db/etcd-old-<BACKUP_DATE>

Deployment model

K3s and RKE2 share their single-binary deployment model. They bundle all their dependencies into one download, allowing you to deploy a functioning cluster with minimal Kubernetes experience.

The projects also support air-gapped environments to accommodate critical machines that are physically separated from your network. Air-gapped images are provided in the release artifacts. Once you’ve transferred the images to your machine, running the regular installation script will bootstrap your cluster.

High availability and multiple nodes

K3s and RKE2 are designed to run in production. K3s is often used in the development, too, having gained a reputation as an ideal single-node cluster. It has robust multi-node management and is capable of supporting fleets of IoT devices.

Both projects can run the control plane with high availability, too. You can distribute replicas of control plane components over several server nodes and use external data stores instead of the embedded ones.

Differences between K3s and RKE2

K3s and RKE2 both offer single-binary Kubernetes, high availability and easy backups, with many commands interchangeable between the two. However, some key differences affect where and when they should be used. It’s these characteristics that justify the distributions existing as two independent projects.

RKE2 is closer to upstream Kubernetes

K3s is CNCF-certified, but it deviates from upstream Kubernetes in a few ways. It uses SQLite instead of etcd as its default data store, although an embedded etcd instance is available as an option in modern releases. K3s also bundles additional utilities, such as the Traefik Ingress controller.

RKE2 sticks closer to standard Kubernetes, promoting conformance as one of its main features. This gives you confidence that workloads developed for other distributions will run reliably in RKE2. It reduces the risk of inconvenient gotchas that can occur when K3s steps out of alignment with upstream Kubernetes. RKE2 automatically uses etcd for data storage and omits nonstandard components included in K3s.

RKE2 uses embedded etcd

The standard SQLite database in K3s is beneficial for compactness and can optimize performance in small clusters. In contrast, RKE2’s default use of etcd creates a more conformant experience, allowing you to integrate directly with other Kubernetes tools that expect an etcd data store.

While K3s can be configured with etcd, it’s an option you need to turn on. RKE2 is designed around it, which reduces the risk of misconfiguration and subpar performance.

K3s also supports MySQL and PostgreSQL as alternative storage solutions. These let you manage your Kubernetes data using your existing tooling for relational databases, such as backups and maintenance operations. RKE2 only works with etcd, offering no support for SQL-based storage.

RKE2 is more security-minded

RKE2 has a much stronger focus on security. Whereas edge operation is K3s’s specialism, RKE2 prioritizes security as its greatest strength.

Hardened against the CIS benchmark

The distribution comes configured for compatibility with the CIS Kubernetes Hardening Benchmark v1.23 (v1.6 in RKE2 v1.25 and earlier). The defaults that RKE2 applies allow your clusters to reach the standard with minimal manual work.

You’re still responsible for tightening the OS-level controls on your nodes. This includes applying appropriate kernel parameters and ensuring the etcd data directory is correctly protected.

You can enforce that a safe configuration is required by starting RKE2 with the profile flag set to cis-1.23. RKE2 will then exit with a fatal error if the operating system hasn’t been suitably hardened.

Beyond configuring the OS, you must also set up suitable network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies) and [Pod security admission rules] to secure your cluster’s workloads. The security admission controller can be configured to use profiles which meet the CIS benchmark. This will prevent non-compliant Pods from being deployed to your cluster.

Regularly scanned for threats

The safety of the RKE2 distribution is maintained within its build pipeline. Components are regularly scanned for new common vulnerabilities and exposures (CVEs) using the Trivy container vulnerability tool. This provides confidence that RKE2 itself isn’t harboring threats that could let attackers into your environment.

FIPS 140-2 compliant

K3s lacks any formal security accreditations. RKE2 meets the FIPS 140-2 standard that the U.S. government uses to approve cryptographic modules.

The project’s Go code is compiled using FIPS-validated crypto modules instead of the versions in the Go standard library. Each of the distribution’s components, from the Kubernetes API server through to kubelet and the bundled kubectl binary, are compiled with the FIPS-compatible compiler.

The FIPS mandate means RKE2 can be deployed in government environments and other contexts that mandate verifiable cryptographic performance. The entire RKE2 stack is compliant when you use the built-in components, such as the containerd runtime and etcd data store.

When to use K3s

K3s should be your preferred solution when you’re seeking a performant Kubernetes distribution to run on the edge. It’s also a good choice for single-node development clusters as well as ephemeral environments used in your CI pipelines and other build tools.

This distribution makes the most sense in situations where your primary objective is deploying Kubernetes with all dependencies from a single binary. It’s lightweight, quick to start and easy to manage, so you can focus on writing and testing your application.

When to use RKE2

You should use RKE2 whenever security is critical, such as in government services and other highly regulated industries, including finance and healthcare. As previously stated, the complete RKE2 distribution is FIPS 140-2 compliant and comes hardened with the CIS Kubernetes Benchmark. It’s also the only DISA STIG-certified Kubernetes distribution, meaning it’s approved for use in the most stringent U.S. government environments, including the Department of Defense.

RKE2 is fully certified and tightly aligned with upstream Kubernetes. It omits the K3s components that aren’t standard Kubernetes or that are unstable alpha features. This increases the probability that your deployments will be interoperable across different environments. It also reduces the risk of nonconformance that can occur through oversight when you’re manually hardening Kubernetes clusters.

Near edge computing is another primary use case for RKE2 over K3s. RKE2 ships with support for multiple CNI networking plugins, including Cilium, Calico, and Multus. Multus allows pods to have multiple network interfaces attached, making it ideal for use cases such as telco distribution centers and factories with several different production facilities. In these situations, it’s critical to have robust networking support with different network adapters. K3s bundles Flannel as its built-in CNI plugin; you can install a different provider, but all configuration has to be performed manually. RKE2’s default distribution provides integrated options for common networking solutions.

Conclusion

K3s and RKE2 are two popular Kubernetes distributions that overlap each other in several ways. They both offer a simple deployment experience, frictionless long-term maintenance, and high performance and compatibility.

While designed for tiny and far-edge use cases, K3s are not limited to these scenarios. It’s also widely used for development, in labs, or in resource-constrained environments. However, K3s is not focused on security, so you’ll need to secure and enforce your clusters.

RKE2 takes the usability ethos from K3s and applies it to a fully conformant distribution. It’s tailored for security, close alignment with upstream Kubernetes, and compliance in regulated environments such as government agencies. RKE2 is suitable for both data centers and near-edge situations as it offers built-in support for advanced networking plugins, including Multus.

Which you should choose depends on where your cluster will run and the workloads you’ll deploy. You should use RKE2 if you want a hardened distribution for security-critical workloads or if you need FIPS 140-2 compliance. It will help you establish and maintain a healthy security baseline. K3s remain an actively supported alternative for less sensitive situations and edge workloads. It’s a batteries-included project for when you want to focus on your apps instead of the environment that runs them.

Both distributions can be managed by Rancher and integrated with your DevOps toolbox. You can use solutions like Fleet to deploy applications at scale with GitOps strategies, then head to the Rancher dashboard to monitor your workloads.

Introduction

Continuous Delivery (CD) frameworks for Kubernetes, like the one created by Rancher with Fleet, are quite robust and easy to implement. Still, there are some rough edges you should pay attention to. Jobs deployment is one of those scenarios where things may not be straightforward, so you may need to stop and think about the best way to process them.

We’ll explain here the challenges you may face and will give some tips about how to overcome them.

While this blog is based on Fleet’s CD implementation, most of what’s discussed here also applies to other tools like ArgoCD or Flux.

The problem

Let’s start with a small recap about how Kubernetes objects work.

There are some elements in Kubernetes objects that are immutable. That means that changes to the immutable fields are not allowed once one of those objects is created.

A Kubernetes Job is a good example as the template field, where the actual code of the Job is defined, is immutable. Once created, the code can’t be changed. If we make any changes, we’ll get an error during the deployment.
This is how the error looks when we try to update the Job:

The Job "update-job" is invalid: spec.template: Invalid value: 
core.PodTemplateSpec{ObjectMeta:v1.ObjectMeta{Name:"", GenerateName:"", Namespace:"", SelfLink:"", 
UID:"", ResourceVersion:"", 
.... 
: field is immutable

And this is how the error is shown on Fleet’s UI:

When we do deployments manually and update code within Jobs, we can delete the previous Job manually and relaunch our deployment. However, when using Continuous Delivery (CD), things should work without manual intervention. It’s critical to find a way for the CD process to run without errors and update Jobs in a way that doesn’t need manual intervention.

Thus we have reached the point where we have a new version of a Job code that needs to be deployed, and the old Job should not stop us from doing that in an automated way.

Things to consider before configuring your CD process

Our first recommendation, even if not directly related to the Fleet or Jobs update problem, is always to try using Helm to distribute applications.

Helm installation packages (called Charts) are easy to build. You can quickly build a Chart by putting together all your Kubernetes deployment files in a folder called templates plus some metadata (name, version, etc.) defined in a file called Chart.yaml.

Using Helm to distribute applications with CD tools like Fleet and ArgoCD offers some additional features that can be useful when dealing with Job updates.

Second, In terms of how Jobs are implemented and their internal logic behaves, they must be designed to be idempotent. Jobs are meant to be run just once, and if our CD process manages to update and recreate them on each run, we need to be sure that relaunching them doesn’t break anything.

Idempotency is an absolute must while designing Kubernetes CronJobs, but all those best practices should also be applied here to avoid undesired side effects.

Solutions

Solution 1: Let Jobs self-destroy after execution

The process is well described in Kubernetes documentation:

“A way to clean up finished Jobs automatically is to use a TTL mechanism provided by a TTL controller for finished resources, by specifying the spec.ttlSecondsAfterFinished field of the Job”

Example:

apiVersion: batch/v1
kind: TestJob
metadata:
  name: job-with-ttlsecondsafterfinished
spec:
  ttlSecondsAfterFinished: 5
  template:
    spec:
...

When we add ttlSecondsAfterFinished to the spec, the TTL controller will delete the Job once it finishes. If the field is not present or the value is empty, the Job won’t be deleted, following the traditional behavior. A value of 0 will fire the deletion just after it finishes its execution. An integer value greater than 0 will define how many seconds will pass after the execution before the Job is deleted. This new feature has been stable since Kubernetes 1.23.

While this seems a pretty elegant way to clean finished jobs (future runs won’t complain about the update of immutable resources), it creates some problems for the CD tools.

The entire CD concepts rely on the fact that our external repos holding our application definition are the source of truth. That means that CD tools are constantly monitoring our deployment and notifying us about changes.

As a result, Fleet detects a change when the Job is deleted, so the deployment is marked as “Modified”:

If we look at the details, we can see how Fleet detected that the Job is missing:

The change can also be seen in the corresponding Fleet Bundle status:

...
status:
  conditions:
  - lastUpdateTime: "2022-10-02T19:39:09Z"
    message: Modified(2) [Cluster fleet-default/c-ntztj]; job.batch fleet-job-with-ttlsecondsafterfinished/job-with-ttlsecondsafterfinished
      missing
    status: "False"
    type: Ready
  - lastUpdateTime: "2022-10-02T19:39:10Z"
    status: "True"
    type: Processed
  display:
    readyClusters: 0/2
    state: Modified
  maxNew: 50
  maxUnavailable: 2
  maxUnavailablePartitions: 0
  observedGeneration: 1
...

This solution is really easy to implement, with the only drawback of having repositories marked as Modified, which may be confusing over time.

Solution 2: Use a different Job name on each deployment

Here is when Helm comes to our help.

Using Helm’s processing, we can easily generate a random name for the Job each time Fleet performs an update. The old Job will also be removed as it’s no longer in our Git repository.

apiVersion: batch/v1
kind: Job
metadata:
  name: job-with-random-name-{{ randAlphaNum 8 | lower }}
  labels:
    realname: job-with-random-name
spec:
  template:
    spec:
      restartPolicy: Never
...

Summary

We hope what we have shared here helps to understand better how to manage Jobs in CD scenarios and how to deal with changes on immutable objects.

The code examples used in this blog are available on our GitHub repository: https://github.com/SUSE-Technical-Marketing/fleet-job-deployment-examples

If you have other scenarios that you’d want us to cover, we’d love to hear them and discuss ideas that can help improve Fleet in the future.

Please join us at the Rancher’s community Slack channel for Fleet and Continuous Delivery or at the CNCF official Slack Channel for Rancher.

One of the greatest challenges that operators and developers face is infrastructure provisioning: it should be resilient, reliable, reproducible and even audited. This is where Infrastructure as Code (IaC) comes in.

In the last few years, we have seen many tools that tried to solve this problem, sometimes offered by the cloud providers (AWS CloudFormation) or vendor-agnostic solutions like Terraform and Pulumi. However, Kubernetes is becoming the standard for application deployment, and that’s where Crossplane fits in the picture. Crossplane is an open source Kubernetes add-on that transforms your cluster into a universal control plane.

The idea behind Crossplane is to leverage Kubernetes manifests to build custom control planes that can compose and provision multi-cloud infrastructure from any provider.

If you’re an operator, its highly flexible approach gives you the power to create custom configurations, and the control plane will track any change, trying to keep the state of your infrastructure as you configured it.

On the other side, developers don’t want to bother with the infrastructure details. They want to focus on delivering the best product to their customers, possibly in the fastest way. Epinio is a tool from SUSE that allows you to go from code to URL in just one push without worrying about all the intermediate steps. It will take care of building the application, packaging your image, and deploying it into your cluster.

This is why these two open source projects fit perfectly – provisioning infrastructure and deploying applications inside your Kubernetes platform!

Let’s take a look at how we can use them together:

# Push our app 
-> % epinio push -n myapp -p assets/golang-sample-app 

# Create the service 
-> % epinio service create dynamodb-table mydynamo 

# Bind the two 
-> % epinio service bind mydynamo myapp 

That was easy! With just three commands, we have:

1. Deployed our application
2. Provisioned a DynamoDB Table with Crossplane
3. Bound the service connection details to our application

Ok, probably too easy, but this was just the developer’s perspective. And this is what Epinio is all about: simplifying the developer experience.

Let’s look at how to set up everything to make it work!

Prerequisites

I’m going to assume that we already have a Kubernetes cluster with Epinio and Crossplane installed. To install Epinio, you can refer to our documentation. This was tested with the latest Epinio version v1.1.0, Crossplane v.1.9.0 and the provider-aws v0.29.0.

Since we are using the enable-external-secret-stores alpha feature of Crossplane to enable it, we need to provide the args={--enable-external-secret-stores} value during the Helm installation:

-> % helm install crossplane \
    --create-namespace --namespace crossplane-system \
    crossplane-stable/crossplane \
    --set args={--enable-external-secret-stores}

Also, provide the same argument to the AWS Provider with a custom ControllerConfig:

apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
metadata:
  name: aws-config
spec:
  args:
  - --enable-external-secret-stores
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: crossplane-provider-aws
spec:
  package: crossplane/provider-aws:v0.29.0
  controllerConfigRef:
    name: aws-config

Epinio services

To use Epinio and Crossplane together, we can leverage the Epinio Services. They provide a flexible way to add custom resources using Helm charts. The operator can prepare a Crossplane Helm chart to claim all resources needed. The Helm chart can then be added to the Epinio Service Catalog. Finally, the developers will be able to consume the service and have all the needed resources provisioned.

Prepare our catalog

We must prepare and publish our Helm chart to add our service to the catalog.

In our example, it will contain only a simple DynamoDB Table. In a real scenario, the operator will probably define a claim to a Composite Resource, but for simplicity, we are using some Managed Resource directly.

For a deeper look, I’ll invite you to take a look at the Crossplane documentation about composition.

We can see that this resource will “publish” its connection details to a secret defined with the publishConnectionDetailsTo attribute (this is the alpha feature that we need). The secret and the resource will have the app.kubernetes.io/instance label with the Epinio Service instance name. We can correlate the two with this label as Epinio services and configurations.

apiVersion: dynamodb.aws.crossplane.io/v1alpha1
kind: Table
metadata:
  name: {{ .Release.Name | quote }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    app.kubernetes.io/instance: {{ .Release.Name | quote }}
spec:
  publishConnectionDetailsTo:
    name: {{ .Release.Name }}-conn
    metadata:
      labels:
        app.kubernetes.io/instance: {{ .Release.Name | quote }}
      annotations:
        kubed.appscode.com/sync: "kubernetes.io/metadata.name={{ .Release.Namespace }}"
  providerConfigRef:
    name: aws-provider-config
  forProvider:
    region: eu-west-1
    tags:
    - key: env
      value: test
    attributeDefinitions:
    - attributeName: Name
      attributeType: S
    - attributeName: Surname
      attributeType: S
    keySchema:
    - attributeName: Name
      keyType: HASH
    - attributeName: Surname
      keyType: RANGE
    provisionedThroughput:
      readCapacityUnits: 7
      writeCapacityUnits: 7

Note: You can see a kubed annotation in this Helm chart. This is because the generated secrets need to be in the same namespace as the services and applications. Since we are using directly a managed resource then the secret will be in the namespace defined in the default StoreConfig (the crossplane-system  namespace). We are using kubed to copy this secret in the release namespace.
https://github.com/crossplane/crossplane/blob/master/design/design-doc-external-secret-stores.md#secret-configuration-publishconnectiondetailsto

We can now package and publish this Helm chart to a repository and add it to the Epinio Service Catalog by applying a service manifest containing the information on where to fetch the chart.

The application, .epinio.io/catalog-service-secret-types, define the list of the secret types that Epinio should look for. Crossplane will generate the secrets with their own secret type, so we need to explicit it.

apiVersion: application.epinio.io/v1
kind: Service
metadata:
  name: dynamodb-table
  namespace: epinio
  annotations:
    application.epinio.io/catalog-service-secret-types: connection.crossplane.io/v1alpha1
spec:
  name: dynamodb-table
  shortDescription: A simple DynamoDBTable that can be used during development
  description: A simple DynamoDBTable that can be used during development
  chart: dynamodb-test
  chartVersion: 1.0.0
  appVersion: 1.0.0
  helmRepo:
    name: reponame
    url: https://charts.example.com/reponame
  values: ""

Now we can see that our custom service is available in the catalog:

-> % epinio service catalog

Create and bind a service

Now that our service is available in the catalog, the developers can use it to provision DynamoDBTables with Epinio:

-> % epinio service create dynamodb-table mydynamo

We can check that a dynamo table resource was created and that the corresponding table is available on AWS:

-> % kubectl get tables.dynamodb.aws.crossplane.io
-> % aws dynamodb list-tables

We can now create an app with the epinio push command. Once deployed, we can bind it to our service with the epinio service bind:

-> % epinio push -n myapp -p assets/golang-sample-app
-> % epinio service bind mydynamo myapp
-> % epinio service list

And that’s it! We can see that our application was bound to our service!

The bind command did a lot of things. It fetched the secrets generated by Crossplane and labeled them as Configurations. It also redeployed the application mounting these configurations inside the container.

We can check this with some Epinio commands:

-> % epinio configuration list

-> % epinio configuration show x937c8a59fec429c4edeb339b2bb6-conn

The shown access path is available in the application container. We can use exec in the app and see the content of that files:

-> % epinio app exec myapp

Conclusion

In this blog post, I’ve shown you it’s possible to create an Epinio Service that will use Crossplane to provide external resources to your Epinio application. We have seen that once the heavy lifting is done, the provision of a resource is just a matter of a couple of commands.

While some of these features are not ready, the Crossplane team is working hard on them, and I think they will be available soon!

Next Steps: Learn More at the Global Online Meetup on Epinio

Join our Global Online Meetup: Epinio on Wednesday, September 14th, 2022, at 11 AM EST. Dimitris Karakasilis and Robert Sirchia will discuss the Epinio GA 1.0 release and how it delivers applications to Kubernetes faster, along with a live demo! Sign up here.