DevConf.CZ

Cloud-Native Security Simplified: Automating OpenShift VM Compliance with Knative, Tekton and Ansible
2024-06-13 , E104 (capacity 72)

Automating OpenShift VMs Compliance with Knative and Tekton the cloud-native way

Introduction

Background
In the rapidly evolving landscape of cloud computing, virtual machine (VM) provisioning in OpenShift environments has become increasingly streamlined. However, compliance tasks often remain a bottleneck, characterized by manual interventions, time-consuming configurations, and a high potential for human error. These challenges undermine the efficiency gains achieved through modern provisioning processes.

Objective
This project aims to revolutionize the VM compliance automation phase by automating these tasks using Knative and Tekton. Our goal is to enhance operational efficiency and reliability in managing OpenShift VIrtualization environments.

Problem Statement

Current compliance processes often involve cumbersome manual steps, leading to significant delays and high error rates. These include configuring network settings, installing software, and applying security patches.

Impact
These inefficiencies adversely affect resource utilization and operational costs, while increasing the likelihood of human error, thereby compromising system integrity and performance.

Proposed Solution

Overview
We propose a solution that leverages Knative to trigger Tekton pipelines, automating the compliance tasks in OpenShift environments.

How It Works
Upon VM creation, a Knative trigger will send the VM payload to a Tekton EventListener. This event triggers a Tekton pipeline, which is pre-configured to execute a series of compliance tasks automatically via Ansible.

Technologies Used
- OpenShift: A Kubernetes distribution that simplifies the management of Kubernetes clusters, providing a robust foundation for this solution.
- Knative: An event-driven framework that facilitates serverless workloads in Kubernetes, crucial for triggering automated workflows.
- Tekton: A powerful Kubernetes-native CI/CD framework, used here to create and manage the pipelines executing post-provisioning tasks.
- Ansible: Ansible is a suite of software tools that enables configuration as code. It is open-source and the suite includes software provisioning, configuration management, and application deployment functionality.

Implementation

Architecture Diagram
A diagram will be provided to visually represent the workflow from VM creation to task completion.

Step-by-Step Process
The concept involves the creation of a Tekton pipeline whenever a VM is created/deleted. This pipeline accesses a configmap and subsequently executes automation tasks on the VM.

It is essential for the VM to have an annotation indicating the configmap's name.

Benefits

  • Efficiency: Significantly reduces the time required for post-provisioning tasks.
  • Reliability: Minimizes human error through automation.
  • Scalability: Easily adapts to increasing infrastructure demands.
  • Cost-Effectiveness: Reduces manpower requirements and operational costs.

Conclusion

This proposal outlines a transformative approach to managing compliance tasks in OpenShift VM environments. By leveraging Knative and Tekton, we can significantly enhance efficiency, reliability, scalability, and cost-effectiveness.

Q&A / Discussion Points

  • How does this solution integrate with existing CI/CD pipelines?
  • Can this framework support complex, multi-step provisioning tasks?
  • How does this approach ensure security and compliance during the automation process?
  • What are the limitations of this solution in its current form?
  • How can this solution be adapted for hybrid or multi-cloud environments?
See also:

Software Engineer specializing in containers, automation, and open-source technologies. A firm believer in the power of simplicity, I aim to design solutions that are as straightforward as possible, without compromising on efficiency, scalability or usability.

Customer-focused, I'm committed to continuous learning and professional development, and I make every effort to stay at the forefront of the dynamic IT industry. My areas of expertise include:

  • Managing and working with container orchestration systems/platforms like Kubernetes and OpenShift Container Platform.
  • Building custom operators in OpenShift using the Operator-SDK and managing serverless workloads using Knative Eventing.
  • Using container runtimes like Podman and Docker.
  • Automating infrastructure and workflow processes using Ansible Automation Platform and Terraform.
  • Implementing CI/CD pipelines using GitLab, Tekton, and ensuring code quality with testing tools such as Molecule and Pytest.
  • Logging, monitoring, and analyzing system data with Elastic Stack, Splunk, and SignalFx.
  • Understanding cloud and virtual environments on AWS, VMware vSphere, and Kubevirt.
  • Managing systems and networks with Red Hat Satellite and Red Hat Enterprise Linux.
  • Managing DNS with Infoblox and BIND.
  • Coding with Python3, Golang, Bash scripting, Java, and C, with a strong command of version control using Git.

With a focus on simplicity, detail, and customer needs, I strive to deliver efficient, scalable, and reliable solutions for technological challenges. I understand that every detail matters in the work I do, aiming to produce top-quality outcomes for both immediate needs and long-term operational success.