The SUSE CaaS Platform team is excited to announce the availability of our new version 4 – a container management solution that is easier to deploy and manage at scale, richer than ever in security and control, and ready with the latest innovations!
We listened to feedback from you, our customers and partners, about SUSE CaaS Platform version 3, and your wishes and needs were the main driver behind sweeping changes we made to the architecture and feature set.
- While earlier versions of SUSE CaaS Platform offered a special-purpose SUSE Linux Enterprise Server variant called MicroOS, many of our customers told us that they really wanted the ability to integrate their deployment and management of their container management platform with the standard SUSE tools they were accustomed to using (YaST/AutoYaST, SUSE Manager). SUSE CaaS Platform 4 is installed using our unified installer as an add-on to SUSE Linux Enterprise 15 SP1 – giving users the familiar tools and processes they already use. (We will reintroduce the ability to leverage transactional updates in a future release, this time using the implementation in the standard operating system products.)
- For rich automation of configuration of underlying clusters on private cloud platforms such as SUSE OpenStack Cloud and VMware vSphere, we added the use of Terraform templates that could be modified easily to meet customers’ specific deployment architectures. (This same tooling approach will be used later when version 4 is released for use in public clouds.)
- While our web-based Velum installer made it simple for users to deploy a cluster, what was easy to use for a single cluster became an interactive burden in scenarios such as development, testing, and training, where customers wanted to provision as many as dozens of clusters at once, or where they wanted to integrate cluster provisioning with other system management processes. The new version offers a command line interface based on the upstream kubeadm command (with contributions from SUSE engineers to make it possible to do the tasks our custom Salt code accomplished), orchestrated by a new open skuba utility created by SUSE to tie together many of the details of cluster setup and node management. This approach makes scriptable non-interactive installation possible.
- Customers told us they wished to be able to go live with the latest capabilities developed by the Kubernetes project, yet be able to trust that the software they receive is secure and well tested. With this release, we begin to follow the Kubernetes upstream cadence of quarterly releases, with our goal being release of a new version of SUSE CaaS Platform within 90 days of the upstream release of the included Kubernetes version. (For instance, Kubernetes 1.15 was released in mid-June, and we are releasing our version 4.0 based on it in mid-September.) We believe this will give users a great balance between leading-edge functionality and solid supportability.
- Our previous deployment architecture not only required a lot of custom development by SUSE – it also imposed limits on cluster size. While most customers choose to scale by adding clusters, we have had several requests for very large customers. Version 4 removes bottlenecks and enables support of larger clusters. We have tested SUSE CaaS Platform 4 with clusters of 250 nodes; we expect that, as we develop our public cloud deployment, we will be able to test on, and thereby confirm support of, much larger clusters.
One of the most important areas of innovation was not a response to specific customer requests. Rather, it was an acknowledgment that one of the considerations that can slow adoption of microservices based application architectures is identical to one that slowed adoption of virtualized infrastructure over a decade ago: concerns about the security of the new technology. In version 3 last year, we introduced support of PodSecurityPolicy settings to control the operations that containers could perform, as well as role-based access control (RBAC) to control who can do them. In version 4, we bring network security enforcement to the product with the addition of Cilium.
Here are two analogies that may make it easier to understand the role of Cilium in SUSE CaaS Platform. The first is that Cilium is “the Open vSwitch” of containers – bringing complex and context-based network topologies to the world of containers, just as Open vSwitch did to the world of virtualized infrastructure. (This one is particularly appropriate because our friends as Isovalent, who lead the Cilium Project, were also co-creators of OVS when they were at Nicira.)
The second is that Cilium is to iptables as next-generation firewalls (NGFW) are to traditional firewalls. As in the latter case, Cilium makes it possible to specify security policy not only in terms of IP addresses and ports, but also in terms of more application-related concepts such as DNS names and even Kubernetes labels, and to identify and secure traffic based on the actual layer 7 protocols (such as HTTP). Cilium uses a powerful kernel innovation called BPF – which stands for “Basic Packet Filter” but which is neither “basic” nor restricted just to packet filtering – to implement policy at previously unattainable levels of efficiency and scalability.
I don’t want to say too much about Cilium here – if you want to learn lots more, you can check out a webinar we and Isovalent recently presented for the Cloud Native Compute Foundation (CNCF), or look for a future blog post with lots more detail.
There are many more enhancements in SUSE CaaS Platform version 4 – delivery of the product itself mainly as a set of containers from a registry, the ability to update your cluster live without shutting down nodes or even draining workloads, being able to run smaller minimum-size clusters with the elimination of a dedicated admin node, the promotion of the efficient CRI-O container engine to be our standard runtime, and centralized logging, to name a few. And there will be more enhancements coming during the version 4.x lifecycle as well: in the works are a new operations GUI, as well as powerful monitoring, alerting, and visualization capabilities. We think you’ll find SUSE CaaS Platform to be a great step forward in flexibility, usability, and security.
One thing to be aware of is that, in order to make major architectural changes, we could not make SUSE CaaS Platform easily upgradeable in place from version 3 to version 4. We recommend that you deploy new clusters and migrate your workloads. If you have production clusters for which this is not possible, please contact your account team to see how SUSE Consulting Services could assist you with another approach.
If you are a current SUSE CaaS Platform user, please download and try out the latest version. If you are not, you can register for a free download and 60-day evaluation key. We think you’ll find that SUSE CaaS Platform 4 brings great advances to our certified, supported Kubernetes based platform for application delivery.