Top Ten Challenges and Considerations for Workloads on Kubernetes and OpenShift

In my day job, I am part of a team that creates commercial software offerings called IBM Cloud Paks. These offerings run in containers, moreover, they are packaged to run on the Red Hat OpenShift Container Platform, which is a fully supported Kubernetes distribution. In that respect, most of what I will cover below is not specific to OpenShift. It applies to any Kubernetes-based environment.

IBM Cloud Paks, while still evolving, have been in the market for a couple of years now, and in my interactions with customers around the world, there are a number of topics that routinely come up, often voiced as challenges, but at least all being topics that must be considered when deploying Cloud Paks into production environments. But these topics are not specific to Cloud Paks either, they are relevant for any kind of software deployment.

So below is what I think of as the Top Ten list of concerns you should have in mind when running containerized software in Kubernetes. They are not really in order of priority, and every organization will probably have a different set of those that are most critical to them.

 

In this post, I will list them together with typical questions that trigger the conversation, and I will follow up with separate blog posts discussing them in more detail. So, buckle up and let's go for a ride!

Challenge 1: Image vulnerability scanning

When and how are images scanned for vulnerabilities? How and how quickly are identified vulnerabilities addressed? Can a vendor's policies be aligned with a customer's policies?

(Blog post is here.)

Challenge 2: Pod granularity

How many pods are part of a given application? How do you coordinate things like pod placement, affinity rules, or annotations and labels across related pods? How do you properly scale applications that consist of many pods?

(Blog post is here.)

Challenge 3: Cluster-admin and elevated privileges

Do any pods require cluster-wide authority, and if so, why? Does any pod run with elevated privileges or even as 'root'?

(Blog post is here.)

Challenge 4: Namespace isolation 

Can a workload be completely 'fenced' into a single namespace? Does it require any changes or create resources that are not scoped to a namespace?

(Blog post is here.) 

Challenge 5: Multi-tenancy

Can I deploy a workload so that it can be shared by multiple tenants, and if so, how? What concepts in Kubernetes help or hinder doing this?

(Blog post is here.) 

Challenge 6: Sizing and footprint optimization

How can I estimate the required capacity in my cluster for a given workload? How do I adjust workload specifications for optimal footprint and performance? 

(Blog post is here.)

Challenge 7: Storage

What storage provider should I use? What are the technical drivers leading us to choosing one storage provider over another? What are the different ways to deploy storage and the related software parts?

(Blog post is here.)

Challenge 8: Version lifecycle management

How often do you upgrade your OpenShift / Kubernetes cluster? How do you ensure continuity in the environment? How about upgrading applications?

(Blog post is here.)

Challenge 9: Air gap, disconnected clusters

Can you run a cluster and all of its applications without being connected to the Internet?

(Blog post is here.)

Challenge 10: Cluster placement, 'stretch' clusters, HA clusters

How do you configure an environment for high availability and disaster recovery? Can you run a single cluster across multiple data centers or cloud regions? How do you ensure that applications meet your requirements towards availability and recoverability? 

(Blog post is here.) 

Again, each of these topics deserves a deeper dive and more detailed discussions, so feel free to click the links above to learn more about each topic!

 

 

 

 

 (Photos by Timelab Pro and Ian Taylor on Unsplash)