Introduction
In part 1 of this blog, we explored the business value delivered in VMware Cloud Foundation (VCF) 4.0 with a focus on how vSphere with Kubernetes brings new levels of developer and admin productivity. Part 2 of this series provides a technical overview of Tanzu Kubernetes Grid (TKG) integrated into vSphere 7 and surfaced through a Kubernetes API via the Tanzu Runtime Services. We’ll also look at how Hybrid Infrastructure Services allow developers to consume infrastructure from VCF Workload Domains, all managed within very familiar Kubernetes Namespaces.
Read Part Three of the ‘Develiering Kubernetes at Cloud Scale’ blog series here.
Once the VCF 4.0 instance has been deployed and configured, (Cormac Hogan has an excellent series on VCF 4.0 deployment and Workload Domain Creation) with the VCF management domain running NSX-T (new!), vSAN 7.0 and SDDC manager, you can now start building workload domains to leverage the new vSphere with Kubernetes functionality. As shown below, SDDC Manager provides a comprehensive framework to automate allocation of the virtual infrastructure resources within each workload domain (WLD). This includes deployment of NSX-T, edge clusters and workload management within the VCF WLD.
Figure 1: vSphere within Kubernetes within a VCF Workload Domain
The Power of vSphere with Kubernetes
Because vSphere 7 has been re-architected to use Kubernetes as it’s control plane, developers can use Kubernetes declarative syntax to manage infrastructure resources like VMs, volumes and networks. This is an extremely powerful concept that is unleashed within the VCF 4.0 WLD’s to run both the TKG Service and vSphere Pod Services.
In addition to embedding Kubernetes directly into the hypervisor, the vSphere Client is also Kubernetes aware, allowing admins to manage Kubernetes objects alongside VMs.
All of the infrastructure resources are abstracted, making it possible to deploy Kubernetes clusters, containers or virtual machines through Kubernetes APIs without having to use traditional vSphere APIs. As shown below, developers can write a Kubernetes YAML file to deploy new services with Kubectl just like they do with any other Kubernetes object, while admins have all of the policy control and visibility through vSphere.
Figure 2: Side by side view of vSphere client and developer initiated YAML files to deploy services
Namespace as a Unit of Management
Consider the awesome power that vSphere has brought to VMs; granular CPU and memory resource management, VM vMotion, VM snapshots, VM encryption and storage policies, etc. But when you consider that a Kubernetes cluster is not a single VM, but could be a matrix of VMs, containers and microservices, it’s far too complex to manage these advanced functions on the components of modern applications.
Another Kubernetes feature that was developed to address this is the Namespace, which is a collection of resource objects (containers, VMs, disks, etc.) that enables the ability to organize the modern applications and all of its components as a unit of management. In this way, you can assign specific policies and execute advanced operations (vMotion, snapshots, encryption, etc.) to the entire Namespace rather than having to manage individual containers and VMs.
Namespace provides huge productivity gains for VI admins, rather than managing hundreds or thousands of VMs in the vCenter inventory, these VMs are now grouped into their logical applications, which reduces the cognitive load of the VI admin. In the past, if you wanted to encrypt an application, you’d have to first find all of the VMs that were part of the app and then turn on encryption on each and every one. Now you can just click a button on the Namespace in vCenter and it does it all for you. You get a huge productivity improvement because you can deal with groups of stuff instead of individual VMs.
Figure 3: Namespace Resource Policy Management
Namespaces also provide a much more efficient model for developer self-service. This eliminates any reliance on ticketing systems which is typically the only way VI admins can provide governance over developer applications. As shown above, Namespaces enable the admins to define a policy on the Namespace once, and then allow the developer to deploy resources through self-service into that Namespace all day long.
Every object in the Namespace will inherit and adhere to the policies that the admin set. Developers get fast, self-service access to infrastructure while VI admins can maintain compliance with corporate standards for security, performance and availability. This application centric management means that policies can be attached to namespaces and consistently applied to applications, while giving IT Operations teams a holistic view of any application in their environment.
VMware Cloud Foundation Services
vSphere with Kubernetes exposes a new set of services, called VMware Cloud Foundation Services that developers can easily consume through the same Kubernetes API that they have always used. These services fall into two categories, Tanzu Runtime Services and Hybrid Infrastructures Services as shown below. This platform is very extensible and it is envisioned that a number of future services, including partner and customer services are delivered through these APIs.
The following will take a look at each of these services (for a more details, check this vSphere with Kubernetes – Technical Overview video by Michael West).
Figure 4: vSphere with Kubernetes embedded VMware Cloud Foundation Services
Tanzu Runtime Services
Included within the Kubernetes Runtime is a CNCF-certified Kubernetes distribution known as the Tanzu Kubernetes Grid (TKG) Service. This allows developers to run containerized applications in an upstream compliant, production-ready environment to allow developers to deploy and manage Kubernetes clusters on demand.
Hybrid Infrastructure Services
Hybrid Infrastructure Services include full Kubernetes and RESTful API access that spans creating and manipulating virtual machines, containers, storage, networking, and other core capabilities. The Storage Service allows developers to provide stateful application support with persistent volumes backed by vSphere volumes for use with container, Kubernetes and virtual machines. The Network Service enables developers to manage virtual router, load balancer and firewall rules for the Kubernetes clusters within these development environments. The Registry Service can be used by developers to deploy store, manage and secure container images using Harbor.
The vSphere Pod Service extends Kubernetes with the ability to run pods directly on the vSphere hypervisor. When developers deploy containers using the vSphere Pod Service, they get the same level of security isolation, performance guarantees and management capabilities that VMs enjoy. The vSphere Pod Service takes advantage of the other services to deliver pods natively on ESXI. The primary place that customers will run containers is in the upstream aligned, fully conforming clusters deployed through the Tanzu Kubernetes Grid Service. The vSphere pod service complements the TKG services for specific use cases where the application components need the security and performance isolation of a VM in a pod form factor.
All together, VMware Cloud Foundation 4.0 and vSphere 7 with Kubernetes allow organizations to continue to modernize application infrastructure at scale, delivering the agility that developers need to accelerate deployment and adoption of modern applications. VCF 4.0 is a fully engineered software-defined HCI stack that fully utilizes the broad power of vSphere with Kubernetes, including Namespaces and VMware Cloud Foundation Services. This combination provides a fully compliant, production-ready Kubernetes ecosystem matched to an Enterprise cloud operating model that can deployed at scale on-premises and in the public cloud.
Stay tuned for part 3 of this blog series where we will delve deeper into the vSAN storage and NSX networking capabilities within VCF 4.0. To learn more about VMware Cloud Foundation 4, visit https://www.vmware.com/products/cloud-foundation.html and can also follow VMware Cloud Foundation on Twitter and Linkedin.
