With the release of VMware Cloud Foundation 9.0, we introduced a number of new and exciting features and capabilities to help our customers deliver an agile, performant, and secure self-service private cloud. As part of a private cloud strategy, providing a way to consume the underlying infrastructure services and deliver applications quickly all the while managing governance is crucial.
With VMware Cloud Foundation (VCF), a number of cloud services are available for consumption, such as VM and Kubernetes Cluster services, along with services for database management, continuous delivery pipelines, service mesh, image registry, and much much more.
This blog is an overview of some of the core services like VM and Kubernetes services along with how to apply IaaS resource policies to them. Resource policies help ensure configurations such as cluster sizes are compliant.Security postures such as enforcing a baseline pod security level, and disallowing resources to be deployed, are just a few examples of how to use resource policies.
Choice of Consumption Models
With VCF, Organization Admins can choose how to isolate users and resources using constructs such as Organizations (tenants), Projects, namespaces, etc. Consumers, such as developers and app teams, also have choice in how they want to consume. The graphic below shows two primary methods: Self-Service Catalog and UI/CLI.
Single Platform for Building and Managing Apps
VMware Cloud Foundation is a single platform for building and managing applications and services for the entire Organization (tenants). IT teams can run and manage diverse workloads, including AI/ML and cloud native applications. Teams can use a modern interface (UI + code) to facilitate the deployment of services such as databases and VMs.Catalog services provide a way to curate applications that users can request.
Admins can extend VCF service offering with additional services that may be required by consumers for their workloads. The vSphere Supervisor creates a Kubernetes control plane on the hypervisor which allows for Kubernetes-based VMs and clusters as well as other services to be deployed. The types of services vary from image registry, backup services, database services, Kubernetes clusters, and much more!
Next we’ll discuss the following two services in regards to policy attachment.
- vSphere Kubernetes Service: Enables consumers to leverage consistent, compliant, and Kubernetes clusters with ease, ensuring standardization across containerized environments.
- VM Service: Allows consumers to independently create VMs without requiring direct access to the vSphere Client, streamlining VM creation alongside Kubernetes workflows.
Deploying VMs and VKS Clusters
Let’s start with the VM service, which provides a modern VM consumption methodology. Using declarative Kubernetes YAML, consumers can deploy and manage VMs alongside Kubernetes clusters. Application teams may want to run VMs alongside Kubernetes pods, as an example. This also provides a consistent way for application teams to provision resources across the entire VCF fleet.
The VM is deployed using the vmoperator, which is a CRD definition: VM Operator. For instance, a Kubernetes manifest can be used to deploy the VM:
|
1 2 3 4 5 6 7 8 9 10 11 |
apiVersion: vmoperator.vmware.com/v1alpha4 metadata: kind: VirtualMachine name: my-vm spec: className: my-vm-class imageName: vmi-0a0044d7c690bcbea storageClass: my-storage-class bootstrap: cloudInit: cloudConfig: {} |
The above Kubernetes manifest can be created from scratch and used in a blueprint for example, or users can create it using an intuitive Services UI which also deploys a VM for them. The VM deployment YAML can then be edited in the UI or CLI.
When using the Services UI to deploy VKS clusters, there are two configuration types: Default Configuration, which prepopulates a number of parameters, or Custom Configuration, which allows for a more granular configuration. In the example below a Default Configuration was chosen.
Consume and Deploy via Catalog
Earlier we mentioned that consumers should have a choice in how they want to consume infrastructure and deploy applications. So far we have looked at a method involving the UI whereby the user can use an intuitive form to create VMs, VKS, and the supporting objects like Load Balancers.
In this section we will review the option to present curated applications to a Catalog. The items that are in the catalog are generally used for two purposes:
- Consume the underlying IaaS components and deploy apps and services
- Run ad-hoc workflows and scripts for XaaS
In this blog we will focus on the former. When creating catalog items we can first create blueprints. VCF 9.0 has an easy-to-use catalog service. Once the blueprint is complete then it can be published to the catalog.
Now that the catalog item for our application is available to users, Organization Admins may want to provide policies to the services deployments.
Policy Type for Kubernetes Resources
In VCF Automation 9.0 a new resource policy type was introduced: IaaS Resource Policy. This policy type provides a policy-as-code approach using Kubernetes Validation Admission Control Policy with CEL language.
By clicking on the IaaS resource policy, admins can then configure policies that will apply to Kubernetes objects being deployed such as VM Services VMs and Kubernetes Clusters. The example below shows a policy that enforces a maximum of one control plane/worker node on a Kubernetes cluster. There are a number of out-of-the-box templates and this is one of them.
When a user tries to deploy a VKS cluster with three control plane nodes, there is an error on the deployment indicating a violation of a policy has occurred.
The admission control policy prevented the deployment due to there being more than one control plane node being requested from the user. This is just one example of using the new policy as code engine for Kubernetes resources.
Applying and configuring policies is easier than ever with VCF! Admins can provide flexibility and agility for end users to consume infrastructure without compromising on security, compliance, and organization policies. Stay tuned for more blogs around cluster and resource management coming soon!
