Nested Kubernetes with Loft
Matryoshka
Domains, Clusters, and Isolation
The main purpose of Loft is, of course, strict isolation of the setups of different customers, and that is ultimately also Loft's unique selling point. After setting up Loft itself and connecting it to an existing Kubernetes cluster, the next step is to connect a user management system to Loft. As described, you have several options.
The simplest option is to maintain the users in Loft itself. The solution provides the required functionality and can manage a local user database. In companies with a central user directory, however, this kind of approach is unlikely to meet with approval and violates the principle of a single source of truth with regard to user data.
Fortunately, Loft can also be tied in with existing solutions such as an LDAP directory. The user data then comes directly from the directory, eliminating the need for a local user database in Loft. As a complement, the login can also be managed by the SSO service, which in fact is equivalent to disabling the password-based login in Loft.
Connecting Users and Clusters
Next comes the neuralgic moment in the interaction between Kubernetes and Loft. In Loft, you create a cluster account that gives a locally known user access to a Kubernetes cluster managed by Loft via Kiosk. Once you grant a local user access to a cluster, Loft tasks Kiosk with creating the appropriate namespace there and stores it as a virtual Kubernetes for deploying services.
Creating accounts does not have to be a manual task; the step can be automated with a template. Giving every employee in your company an account in every connected K8s cluster can be done with relatively little overhead. The highlight from the user's point of view is that the services can then be created transparently in the spaces built by Loft in exactly the same way as in a normal Kubernetes cluster. Loft takes care of all the logic behind the scenes with its little helper, Kiosk.
Virtual Clusters to the Rescue
If you have made it this far, Loft is almost ready for its intended use. At this point, all you have is a Loft space, which in Kubernetes is a namespace that comes with its own user management and largely behaves like genuine Kubernetes under the hood. The only thing missing for the end user is the Kubernetes APIs themselves.
A small tool from the Loft developers named vCluster comes into play here (Figure 4). vCluster is essentially based on the principle of rolling out a small but complete Kubernetes cluster into an existing Kubernetes, which gives you Kubernetes on Kubernetes.
Admittedly, this idea is not entirely new. For example, rolling out OpenStack on top of OpenStack to set up a test or staging environment is quite common. vCluster from Loft achieves the same thing for Kubernetes and bundles the components belonging to Kubernetes in such a way that they can run in a Kubernetes cluster themselves.
This arrangement has several major advantages from the administrator's perspective. First, a Kubernetes cluster rolled out this way is a real Kubernetes that is compatible with the K8s API and has official certification to prove it. It's not tinkering at all but a real K8s from an application perspective. Second, unlike the scenario described at the beginning, this setup doesn't need its own bare metal underpinnings. It uses the existing Kubernetes cluster along with its resources and rolls out the required components as pods. Because Kubernetes has long been able to roll out services redundantly, high availability is also not a problem.
Third, and this is also a big advantage of Loft, unlike classic Kubernetes, you do not have to set up namespaces and users manually. As I mentioned earlier, users can be integrated automatically for login purposes, and Loft takes care of implementing the desired permissions correctly in the target Kubernetes instances with its own permissions assignment afterwards. In practical terms, Loft implements the possibility for end users without an admin account in the Kubernetes target instances to put together their own real and complete K8s instances by pointing and clicking.
Buy this article as PDF
(incl. VAT)