White Paper Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family
Abstract This paper highlights the benefits of cloud native databases, using Kubernetes persistent storage on Dell EMC PowerFlex family, while achieving security and compliance for containerized workloads.
March 2020
000058 Revisions
Revisions
Date Description
December 2019 Initial release
January 2020 Updated Section 5.4.2 Validating CockroachDB on Kubernetes
February 2021 Provided detailed information related to security and compliance for containerized workloads.
March 2021 Updated Solution Architecture section.
Acknowledgements
This paper was produced by the following:
Authors: Sudhakar Tekkali, Syed Abrar and Praphul Krottapalli
Contributors: David Adams, Kailas Goliwadekar and Shalini G
The information in this publication is provided “as is.” Dell Inc. makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.
Use, copying, and distribution of any software described in this publication requires an applicable software license.
Copyright © 2021 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC, Dell EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners. [3/30/2021] [White Paper] [000058]
2 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Table of contents
Table of contents
Revisions...... 2 Acknowledgements ...... 2 Table of contents ...... 3 Executive summary ...... 5 1 Introduction ...... 6 1.1 Objective ...... 6 1.2 Audience ...... 7 1.3 Terminology ...... 7 2 Product overview ...... 8 2.1 PowerFlex family ...... 8 2.2 PowerFlex software components ...... 8 2.2.1 PowerFlex ...... 9 2.2.2 PowerFlex Manager ...... 9 2.3 PowerFlex deployment architectures ...... 10 2.4 Kubernetes ...... 10 2.5 Container Storage Interface ...... 10 2.5.1 CloudLink ...... 10 2.5.2 CloudLink for Containers ...... 10 2.5.3 CloudLink components ...... 11 3 Solution architecture ...... 12 3.1 Logical architecture ...... 12 3.2 Two-layer network topology ...... 13 3.3 Kubernetes ...... 14 3.4 Dell EMC PowerFlex CSI driver architecture ...... 15 4 Deployment ...... 16 4.1 Deploying Kubernetes ...... 16 4.2 Deploying PowerFlex CSI driver ...... 16 4.2.1 CSI driver prerequisites ...... 16 4.2.2 Installing CSI driver for PowerFlex ...... 16 5 Cloud Native Databases on Kubernetes ...... 18 5.1 MongoDB deployment ...... 18 5.1.1 MongoDB on Kubernetes architecture ...... 18 5.1.2 Validating MongoDB on Kubernetes ...... 19
3 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Table of contents
5.2 Cassandra deployment ...... 21 5.2.1 Cassandra on Kubernetes architecture ...... 21 5.2.2 Validating Cassandra on Kubernetes ...... 21 5.3 PostgreSQL deployment ...... 23 5.3.1 PostgreSQL on Kubernetes architecture ...... 23 5.3.2 Validating PostgreSQL on Kubernetes ...... 23 5.4 CockroachDB deployment ...... 25 5.4.1 CockroachDB on Kubernetes architecture ...... 25 5.4.2 Validating CockroachDB on Kubernetes ...... 26 6 Security areas for containerized workloads ...... 28 6.1 Storage encryption with Dell EMC CloudLink ...... 28 6.2 Container Security dimensions with Aqua Security ...... 28 7 Deploy CloudLink on PowerFlex ...... 30 7.1 Prerequisites ...... 30 7.2 Deploy and configure CloudLink encryption for Containers on PowerFlex ...... 30 7.3 Post deploy CloudLink encryption for containers on PowerFlex ...... 31 8 Deploy Aquasec on PowerFlex ...... 33 8.1 Prerequisites ...... 33 8.2 Deploy Aqua Enterprise in your cluster ...... 33 8.2.1 Dashboard ...... 34 8.3 Container security dimensions ...... 34 8.3.1 Secure supply chain ...... 34 8.3.2 Compliance ...... 35 8.3.3 Security audit and reporting ...... 36 8.3.4 Vulnerability analysis and response ...... 37 8.3.5 Authentication ...... 41 8.3.6 Secure development ...... 42 8.3.7 Network segmentation ...... 42 9 Conclusion ...... 44 A Appendix ...... 45 A.1 Configuration details ...... 45 A.2 Deployment details ...... 46 B Technical support and resources ...... 47 B.1 Related resources ...... 47
4 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Executive summary
Executive summary
Enterprises across the globe are challenged to improve the business processes, develop new capabilities and business models. Enterprises are digitally transforming to meet the business goals and deliver cutting-edge technology, products, and services. Cloud Native architecture enables rapid development and deployment of agile applications at scale and resiliency. One of the most powerful tools in this new Cloud Native architecture is containerization, which has been evolving new workloads and use cases. Both open-source community and software vendors are constantly adding exciting features to container technology to make it necessary for developers and IT.
Cloud Native architecture enables applications to take advantage of containerization, elasticity, resilience, scale, and orchestration. Cloud Native applications, including databases, require supporting tools that have capabilities to deal with scheduling, load balancing, resource monitoring, scaling, and job isolation of these complex environments. Kubernetes is an open-source container orchestration system with capabilities of automatic, scaling, and managing containerized applications.
This document illustrates how to build Cloud Native containerized database workloads on Dell EMC PowerFlex family platform with Kubernetes and Dell EMC PowerFlex CSI driver providing persistent storage in a private cloud environment. This document demonstrates securing the Cloud Native databases workloads with Security-lifecycle best-practices in cloud native infrastructure.
5 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Introduction
1 Introduction Modern data center workloads have varying business value and characteristics for the workload and data that govern the performance, throughput, capacity, availability, data protection, and data services requirements. Shrinking IT budgets, push for greater efficiency, and consolidation and workload requirements have made it necessary for the underlying infrastructure to deliver high performance, scalability, resiliency, and most importantly -- flexibility. PowerFlex family is an engineered system for Dell EMC designed on five super power principals to meet the key infrastructure requirements. PowerFlex family delivers:
• Unmatched performance. • Unprecedented scale (1000 nodes and 100s-PB storage capacity). • Built in redundant hardware components and PowerFlex (VxFlex OS) mesh mirror architecture delivers unparalleled resiliency. • Infrastructure flexibility: PowerFlex family is second to none. A PowerFlex integrated rack system has 1000s of hardware and software configuration option combinations that can co-exist freeing customers from T-shirt size, dedicated and siloed environments, and accelerating the data center consolidation. • Engineered system with single call support and life cycle management.
PowerFlex family with PowerFlex (previously VxFlex OS) offers flexibility for installing virtual machines, containers, and bare metal applications.
Scalable PowerFlex family
1.1 Objective
This white paper outlines how a Kubernetes operator can deploy Cloud Native databases and Kubernetes as container orchestration layer on Dell EMC PowerFlex family platform to meet the performance, scalability, resiliency, and availability requirements. The document also provides detailed information about leveraging Dell EMC PowerFlex CSI driver to dynamically provision persistent volumes and Securing the Cloud Native databases workloads.
6 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Introduction
1.2 Audience
This document is intended for decision makers, business leaders, architects, cloud administrators, DevOps Infrastructure administrators, Cloud Native database administrators, Hyperconverged infrastructure administrators, and technical administrators of IT environments responsible for developing and deploying platform and service to run Cloud Native databases.
The reader of this document must have a working knowledge of Dell EMC PowerFlex, VMware vSphere technologies, Linux, Container technologies, Kubernetes, YAML scripting, Cloud Native databases such as Cassandra, PostgreSQL, MongoDB, CockroachDB technologies.
1.3 Terminology
The following table defines acronyms and terms that are used throughout this document:
Terms and definitions
Term Definition
MDM Meta Data Manager SDS Storage Data Server SDC Storage Data Client RCM Release Certification Matrix SSD Solid State Drive IaaS Infrastructure as a Service PaaS Platform as a Service AU Allocation Unit PD Protection Domain LUN Logical Unit Number PV PersistentVolume PVC PersistentVolumeClaim YCSB Yahoo cloud servicing benchmark TPC-C Transaction Processing Performance Council Benchmark VLT Virtual Link Trunking CNI Container Network Interface CLC CloudLink Center VM Virtual Machine CSI Container Storage Interface
7 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Product overview
2 Product overview
2.1 PowerFlex family
PowerFlex is a software-defined storage platform designed to significantly reduce operational and infrastructure complexity, empowering organizations to move faster by delivering flexibility, elasticity, and simplicity with predictable performance and resiliency at scale. The PowerFlex family provides a foundation that combines compute as well as high performance storage resources in a managed unified fabric. PowerFlex comes in flexible deployment options - rack, appliance, or ready nodes - that enable two-layer (compute and server SAN), single-layer (HCI), and/or storage only architectures. PowerFlex is ideal for high performance applications and databases, building an agile private cloud, or consolidating resources in heterogeneous environments.
PowerFlex family
2.2 PowerFlex software components
Software is the key differentiation and the “secret sauce” in the PowerFlex offering. The PowerFlex software components not only provide software-defined storage services, they also help simplify infrastructure management and orchestration with comprehensive ITOM and LCM capabilities that span compute as well as storage infrastructure, from BIOS and firmware to nodes, software and networking.
The core foundational component in the PowerFlex family that enables Software Defined Storage (SDS) services is called PowerFlex, to represent the core value it enables for the platform. Additionally, PowerFlex Manager is a comprehensive IT Operational Management (ITOM) and Life Cycle Management (LCM) tool that drastically simplifies management and ongoing operation.
8 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Product overview
2.2.1 PowerFlex PowerFlex (previously VxFlex OS) is the software foundation of PowerFlex software-defined storage. It is a scale-out block storage service designed to deliver flexibility, elasticity, and simplicity with predictable high performance and resiliency at scale.
PowerFlex 3.0 comes with lot of new features around space efficiency, data management, and data integrity. These features make it ideal to host database workloads like SQL on PowerFlex rack. Few of the newly added features are listed here.
Fine Granularity Layout
PowerFlex adds a new storage layout option that is called as Fine Granularity (FG) in addition to the existing Medium Granularity (MG). MG has a 1 MB allocation units and FG has an allocation unit of 4 KB and a physical data placement scheme based on Log Structure Array (LSA) architecture. This new FG requires both Flash media (SSD or NVMe) and NVDIMM in order to create a storage pool. FG gives inline compression that can reduce the total amount of physical data that must be written to SSD. This greatly helps in efficient data storage management and snapshot capabilities. NVDIMM can be used for persistent memory technology which is cacheable and has lesser latencies and throughput than flash storage.
SQL Server with NVMe results in high performance and low latency which translates into more processing of data and analysis. SQL Server thus benefits in providing higher workload consolidation and achieving greater cost savings.
Intel Optane cards also can be used to store SQL Server TempDB files or transaction log files that give excellent random read and write performance at low queue depths. They are particularly used for heavy OLTP workloads.
Inline compression
Fine Granularity layout enables an inline compression capability that can reduce the data footprint.
Persistent Checksum
FG also has persistent checksum that maintains the data integrity for the data and metadata of FG storage pools.
For complete list of new features of PowerFlex, see PowerFlex v3.0 Release Notes.
PowerFlex management is available using a user interface, CLI, and REST clients. There is a VMware vSphere® plug-in that allows VMware admins to deploy, upgrade, configure, and manage PowerFlex in an ESXi environment within VMware vSphere.
2.2.2 PowerFlex Manager PowerFlex Manager is the software component in PowerFlex family that enables ITOM automation and life cycle management capabilities for PowerFlex systems.
9 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Product overview
2.3 PowerFlex deployment architectures
PowerFlex software-define storage offers flexibility of deployment architecture to help best meet the specific deployment and architectural requirements. PowerFlex can be deployed in a two-layer (Server SAN), single layer or in storage-only architectures.
2.4 Kubernetes
Kubernetes is an open-source platform which is portable and can be extended to manage containerized workloads and services. Thus Kubernetes, facilitates both declarative configuration and automation. Containers are a good way to bundle and run your applications because it has its own filesystem, CPU, memory, process space, and so on. As they are decoupled from the underlying infrastructure, they are portable across clouds and operating system distributions. Kubernetes provides you with a framework to run distributed systems resiliently.
For more information about Kubernetes, see Kubernetes documentation.
2.5 Container Storage Interface
Kubernetes natively offers some solutions to manage storage, however, native storage options also present challenges with the pod portability. CSI solves the challenges with native Kubernetes solutions. It is a community driven standard for persistent storage on container orchestrators (COs) like Kubernetes. It enables storage providers to develop CSI driver for Kubernetes CO systems. It lets you provision storage for pods through a Kubernetes PersistentVolumeClaim (PVC).
For more information about CSI Overview, see Container Storage Interface (CSI) for Kubernetes GA .
2.5.1 CloudLink CloudLink provides software-based Data at Rest Encryption (DARE) for PowerFlex Storage Data Servers (SDS) that is transparent to the features and operation of the PowerFlex solution. It uses dm-crypt, a native Linux encryption package, to secure SDS devices. A proven high-performance volume encryption solution, dm-crypt is widely implemented for Linux machines.
2.5.2 CloudLink for Containers CloudLink 7.0 supports data encryption in a Kubernetes containerized environment. CloudLink encryption for containers enables you to encrypt shared volumes in a Kubernetes cluster. This functionality leverages Kubernetes 1.14 CSI. which is customizable to the user environment, and features a quick, easy setup with the GUI or REST-API. Encryption of Containers Agents sits between the Application and the CSI Storage Plugin encrypting the application data before it is sent to storage-thus providing both Data at Rest and Data in Motion. One CloudLink Center instance can support multiple Kubernetes clusters. Each Kubernetes cluster node can have multiple Encryption for Containers agents running on it, which includes one Encryption for Containers agent for each driver.
10 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Product overview
2.5.3 CloudLink components CloudLink Center is a web-based interface for CloudLink that is used to manage machines that belong to the CloudLink environment (those machines on which CloudLink Agent has been installed) and helps in the following:
• Communicates with machines over Transport Layer Security (TLS) • Manages the encryption keys that are used to secure the boot volumes, data volumes, and devices for the machines • Configures the security policies • Monitors the security and operation events • Collects log data CloudLink agent that runs on individual machines and helps in the following:
• Leverages BitLocker or dm-crypt for encryption operations • Communicates with CloudLink Center for pre-startup decryption authorization For complete CloudLink solution docs, see CloudLink Info Hub Portal.
11 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Solution architecture
3 Solution architecture
3.1 Logical architecture
The two-layer architecture is where the Storage Data Server (SDS) and Storage Data Client (SDC) components are isolated from each other on separate set of nodes. The following figure demonstrates the two-layer deployment of PowerFlex (previously VxFlex OS) where compute nodes run ESXi and storage nodes run Red Hat Enterprise Linux (RHEL):
PowerFlex two-layer logical designs
For compute, a VMWare ESXi 6.7 three node cluster is created to host workload VMs, which, in this case, is a Kubernetes cluster. The SDC component is also installed on the Kubernetes worker nodes to allow direct mount of PowerFlex volumes to Kubernetes pods.
For storage, RHEL 7.6 deployed on four storage defined only ones that acts as SDS. From PowerFlex, PowerFlex cluster consists of one product domain.
CloudLink Center was packaged as a virtual appliance that was deployed on VMware vSphere cluster which is available on management node hosts. CloudLink Center provides centralized, policy-based management for these keys, enabling single-screen security monitoring and management for PowerFlex deployment.
12 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Solution architecture
3.2 Two-layer network topology
The following diagram depicts the two-layer network architecture that is based on PowerFlex (VxFlex OS) best practices:
PowerFlex two-layer network architecture
• Two Dell S5048F switches are configured with VLT to provide fault condition and enable connectivity with other switches. Storage nodes, Compute nodes, Management, and other Teamed Networks using Link Aggregation Group (LAG). • Two dual ports 25 Gig Mellanox NICs on each server provide 4 x 25 Gig ports. • VLAN 51 and 52 (also known as Data 1 and Data 2) network channels are dedicatedly used for SDS-SDS communication. Both VLANs are isolated at switch level to provide high availability and avoid single point of failure. • VLAN 53 and 54 (also known as Client 1 and Client 2) network channels are dedicatedly used for SDS- SDC communication. Both VLANs are isolated at switch level to provide high availability and avoid single point of failure. • On compute nodes, 2 x 25 Gig ports are teamed to provide high availability. Teamed Network is used to create Virtual Networks in vSphere. VLAN 56 is configured to provide connectivity with customer network and VLAN 57 is dedicated vMotion. • On compute nodes, 2 x 10 Gig teamed ports are used to create Management network. VLAN 55 is dedicated to Management network which includes PowerFlex management and Hypervisor management.
13 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Solution architecture
3.3 Kubernetes
Kubernetes cluster follows the client/server architecture. By default, a Kubernetes cluster consists of minimum one master node and multiple worker nodes. For high availability, multiple master nodes need to be considered.
Master server consists of various components to control the cluster and facilitate communication with APIs.
The following figure depicts the high-level architecture of a Kubernetes cluster:
Kubernetes architecture
Note: Several Container Network Interface (CNI) options are available to implement Kubernetes cluster networking. For more information about Kubernetes Network policy, see Networking and Network Policy.
Kubernetes contains several abstractions that represent the state of the system; containerized workload, their associated network, and disk resources. The objects in Kubernetes API represent these abstractions. The basic Kubernetes objects include:
• Pod: This consists of containers, storage resources, and unique network id. • Service: Represents a logical set of pods and acts as a gateway to provide load balancing. • Volumes: Is associated with pods to store data. Volumes can be persistent or non-persistent depending on the application requirements and deployment. • Namespaces: Isolation of names and resources in the cluster.
Kubernetes also contains higher-level abstraction that relies on controllers to build upon basic objects and provide additional functionality. For details, see Kubernetes components.
14 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Solution architecture
3.4 Dell EMC PowerFlex CSI driver architecture
Dell EMC has developed a CSI driver plug-in for PowerFlex (VxFlex OS) and Kubernetes. The plug-in provides persistent storage using PowerFlex storage system. The CSI drive for PowerFlex and Kubernetes communicates over CSI protocol.
The following figure shows the detailed architecture of the deployment and how the PowerFlex SDC interacts with CSI components to deliver persistent storage to the Kubernetes cluster:
PowerFlex CSI Driver for Kubernetes
To access the CSI driver source code and product documentation, see PowerFlex CSI driver on GitHub.
15 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Deployment
4 Deployment
4.1 Deploying Kubernetes
Running a Kubernetes cluster requires at least one master and one worker node. For the demonstration of this deployment, one master and three worker nodes for each Kubernetes cluster were used. The hardware and software details of the Kubernetes cluster nodes is available here: Appendix A.2.
There are multiple ways of deploying Kubernetes in production environment. For this solution, kubeadm was used to deploy the Kubernetes clusters. For complete instructions on deploying Kubernetes cluster, see Installing kubeadm.
4.2 Deploying PowerFlex CSI driver
PowerFlex CSI driver enables Kubernetes worker nodes to provision persistent volumes from PowerFlex storage. The following section describes the procedure to deploy CSI driver:
4.2.1 CSI driver prerequisites Ensure to complete the following requirements before installing CSI Driver:
• Install Kubernetes version 1.14 • Enable the required Kubernetes feature gates • Configure Docker service • Install Helm and Tiller with a service account • Install PowerFlex SDC components on each Kubernetes node
For complete details on prerequires and full installation, see CSI Driver for PowerFlex Product Guide.
4.2.2 Installing CSI driver for PowerFlex Complete the following steps to install CSI driver version 1.1.3 on PowerFlex (previously VxFlex OS):
1. Download the installation source files from GitHub, using the following command:
$ git clone https://github.com/dell/csi-vxflexos
2. Create a Kubernetes secret file with your PowerFlex username and password using the template in secret.yaml.
$ kubectl create -f secret.yaml -n vxFlexos
3. Copy the csi-vxFlexos/values.yaml to a file myvalues.yaml in this directory.
4. Specify the required parameters in myvalues.yaml file.
$ cat myvalues.yaml systemName: 264facb730a26a0f
16 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Deployment
username: admin password: ****** restGateway: https://gateway.flex.com storagePool: default mdmIP: mdmIP1, mdmIP2 volumeNamePrefix: k8s storageClass.name: vxFlexos
Note: The mdmIP values that are provided here are just examples. You must use relevant mdmIP values for performing this step.
5. Run the following command to proceed with the installation:
$ sh install.vxFlexos NAME: vxflexos LAST DEPLOYED: Fri Aug 30 17:17:32 2019 NAMESPACE: vxflexos STATUS: DEPLOYED
6. Verify that the CSI agent pods are running.
$ kubectl get pods -n vxFlexos NAME READY STATUS RESTARTS AGE vxflexos-controller-0 4/4 Running 0 112s vxflexos-node-2fmz4 2/2 Running 0 112s vxflexos-node-4c7hh 2/2 Running 0 112s vxfexos-node-ptvg4 2/2 Running 0 112s
$ kubectl get storageclass NAME PROVISIONER AGE vxflexos (default) csi-vxflexos 21s vxlexos-xfs csi-vxflexos 21s
17 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Cloud Native Databases on Kubernetes
5 Cloud Native Databases on Kubernetes In this paper, the following Cloud Native Databases are deployed on Kubernetes based on specific requirements followed by validating and providing results for each database using an example:
• MongoDB deployment • Cassandra deployment • PostgreSQL deployment • CockroachDB deployment
Prerequisites
Ensure to complete the following prerequisites before deploying Cloud Native databases:
• Create PowerFlex cluster and Kubernetes cluster. • Install and configure network stack for Kubernetes cluster. • Install and configure Helm and Tiller with service account. • Install and configure PowerFlex CSI driver. • Verify vxflexos StorageClass is successfully deployed.
5.1 MongoDB deployment
MongoDB is a cross-platform document-oriented database. MongoDB can be used to store large amount of data volume and has a schema-less data model. The purpose of the replication increases the read capacity, which enables users to perform read operations from different servers. Maintaining copies of data in different data nodes can increase data locality and availability for distributed applications. For complete details, see How Containers Benefit Your Business.
5.1.1 MongoDB on Kubernetes architecture The mongos instances provide the interface between the client applications and the shaded cluster. A replica set in MongoDB is a group of mongod instances that maintain the same dataset and it can also handle data requests, manages data access, and performs background management operations.
A replica set contains the following nodes:
• Primary node is the only node in cluster to perform write operations, and it can also contain the config files for the cluster. • Secondary node is where the replicas of the data are stored, and it supports read operations. • Arbitrary node plays a role of voter node to allow cluster achieve quorum and in case split brain syndrome, the arbiter node is used to decide the primary node.
18 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Cloud Native Databases on Kubernetes
The following diagram shows the high-level architecture of MongoDB cluster:
MongoDB architecture logical design
For more information about MongoDB components, see MongoDB Replication.
5.1.2 Validating MongoDB on Kubernetes Helm charts provides stable/mongodb and stable/mongodb-replicaset options to replicate MongoDB pods. For this paper, stable/mongodb chart was considered.
MongoDB on Kubernetes cluster running on PowerFlex family platform was installed following the procedure available in MongoDB Helm chart on Github.
After adding stable repository to the Helm chart, complete the following steps:
1. Specify the following parameters in the values.yaml in addition to the default parameters for Kubernetes environment:
$ cat values.yaml mongodbRootPassword: password mongodbUsername: admin mongodbPassword: ****** mongodbDatabase: mydatabase replicaSet.enabled: true metrics.enabled: true metrics.livenessProbe.enabled: true metrics.readinessProbe.enabled: true storage.persistentVolume.storageClass: vxflexos
2. Install the stable/mongo Helm chart using values.yaml.
19 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Cloud Native Databases on Kubernetes
3. Deployed results are displayed as shown here:
$ helm status mongo NAME:mongoreplicatest-myrelease-mongodb LAST DEPLOYED:
RESOURCES: ==> v1/Pod(related) NAME READY STATUS RESTARTS AGE mongoreplicatest-myrelease-mongodb-arbiter-0 1/1 Running 3 3h31m mongoreplicatest-myrelease-mongodb-primary-0 2/2 Running 6 3h29m mongoreplicatest-myrelease-mongodb-secondary-0 2/2 Running 6 3h27m
==> v1/Service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE mongoreplicatest-myrelease-mongodb ClusterIP None
==> v1/StatefulSet NAME READY AGE mongoreplicatest-myrelease-mongodb 3/3 3h31m
4. Verify that the MongoDB pods are running.
$ kubectl get pods -n mongo-replica -o wide
5. Verify that PersistentVolumeClaim are created for MongoDB container.
$ kubectl get pvc -n mongo-replica
6. Verify that the volume is created using PowerFlex UI.
Results: On examining PowerFlex UI, it is observed that 8 GB volume k8s-242bd64bf2 and k8s- 69f2236970 are dynamically created and mounted to the MongoDB pods.
Benchmarking:
The benchmarking of MongoDB on Kubernetes was done using YCSB benchmarking tool with the following parameters:
• Number of threads: One • Block size: 64k • Number of operations: 1000 for the first instance and 100000 for the second instance
20 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Cloud Native Databases on Kubernetes
5.2 Cassandra deployment
Cassandra is an open source, wide column store, distributed, designed to handle massive amount of data workloads across multiple nodes with no single point of failure. Cassandra architecture ensures data durability and availability by distributed system across homogeneous nodes where data is distributed among all nodes in the cluster. For complete details, see Cassandra.
5.2.1 Cassandra on Kubernetes architecture Each node in the cluster exchange its health information by using Gossip protocol. A sequentially written CommitLog on each node captures write activities. The data is indexed and written to an in-memory structure called memtable. Each time the memory structure is full, the data is flushed to the disk in a SSTable datafile. In Cassandra architecture, each node in the cluster is same where each node can perform both read and write operation.
The following diagram depicts the high-level architecture of Cassandra cluster:
Cassandra architecture logical design
For more information about Cassandra components, see Cassandra Architecture.
5.2.2 Validating Cassandra on Kubernetes CassandraDB on Kubernetes cluster running on PowerFlex family platform was installed following the procedure in Cassandra Helm Chart on Github.
After adding incubator repository to the Helm chart, complete the following steps:
1. Specify the following parameters in the values.yaml in addition to the default parameters for Kubernetes environment:
$ cat values.yaml config.cluster_size: 3 persistence.enabled: true persistence.storageClass: vxflexos
2. Install the incubator/cassandra Helm Chart using values.yaml.
3. Deployed results are displayed as shown here:
$ helm status cassandra NAME: cassandra LAST DEPLOYED:
21 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Cloud Native Databases on Kubernetes
STATUS: DEPLOYED
RESOURCES: ==> v1/Pod(related) NAME READY STATUS RESTARTS AGE cassandra-0 1/1 Running 0 3h31m cassandra-1 1/1 Running 0 3h29m cassandra-2 1/1 Running 0 3h27m
==> v1/Service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE cassandra ClusterIP None
==> v1/StatefulSet NAME READY AGE cassandra 3/3 3h31m
4. Verify that the Cassandra pods are running.
$ kubectl get pods -n cas-deploy -o wide
5. Verify that PersistentVolumeClaim are created for Cassandra container.
$ kubectl get pvc -n cas-deploy
6. Verify that the volume is created using vxflex UI.
Results: On examining vxflex UI, it is observed that 16 GB volume k8scas-3cd3b89cc0, k8cas- 3e33085080, k8scas-d1e6d7b240 and k8scas-d4a629f996 are dynamically created and mounted to the Cassandra pods.
Benchmarking: Cassandra offers a built-in java-based stress testing tool within the deployment. The tool can perform various test scenarios like 100% write, 100% read and mixed workload. However, to run read or mixed workload, Cassandra-stress testing tool requires data to be present in the database.
22 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Cloud Native Databases on Kubernetes
5.3 PostgreSQL deployment
PostgreSQL is a RDBMS with a client/server architecture model. PostgreSQL Server consists of shared memory, background process and datafile. PostgreSQL server manages database files, accepts connections to the databases from clients and perform database operations on behalf of clients. PostgreSQL can support multiple client connections at the same time.
5.3.1 PostgreSQL on Kubernetes architecture The following figure depicts the overall architecture of PostgreSQL deployment:
PostgreSQL architecture logical design
For more information PostgreSQL database Architectural Fundamentals, see PostgreSQL Architectural Fundamentals.
5.3.2 Validating PostgreSQL on Kubernetes PostgreSQL on Kubernetes cluster running on PowerFlex family platform was installed following the procedure in PostgreSQL Helm Chart on GitHub.
After adding stable repository to the Helm chart, complete the following steps:
1. Specify the following parameters in the values.yaml in addition to the default parameters for Kubernetes environment:
$ cat values.yaml replication.enabled: true replication.slaveReplicas: 3 replication.synchronousCommit: on replication.numSynchronousReplicas: 1 postgresqlDatabase: flex-db postgresqlUsername: postgres postgresqlPassword: ******* persistence.storageClass: vxflexos
2. Install the stable/postgresql Helm Chart using values.yaml.
23 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Cloud Native Databases on Kubernetes
3. Deployed results are displayed as shown here:
NAME: flex-postgres LAST DEPLOYED:
$ kubectl run flex-postgres-postgresql-client --rm --tty -i -- restart='Never' --namespace default --image docker.io/bitnami/postgresql:11.4.0-debian-9-r34 -- env="PGPASSWORD=$POSTGRES_PASSWORD" --command --psql --host flex- postgres-postgresql -U postgres -d flex-db -p 5432 To connect to your database from outside the cluster execute the following commands: kubectl port-forward --namespace default svc/flex-postgres-postgresql 5432:5432 & PGPASSWORD="$POSTGRES_PASSWORD" psql --host 127.0.0.1 -U postgres -d flex-db -p 5432
4. Verify that the PostgreSQL pods are running.
$ kubectl get pods -o wide | grep "flex-postgres-postgresql"
24 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Cloud Native Databases on Kubernetes
5. Verify that PersistentVolumeClaim are created for Cassandra container.
$ kubectl get pvc
6. Verify that the volume is created using PowerFlex UI.
Results: On examining PowerFlex UI, it is observed that 16 GB volume k8svol-46d8b22491, k8svol- 23346c1476, and k8svol-b539073c65 are dynamically created and mounted to the PostgreSQL pods.
Benchmarking: PostgreSQL offers a pre-built performance benchmarking tool using pgbench for Linux bundled within the binaries. The tool includes several load generators for simulating client traffic.
5.4 CockroachDB deployment
CockroachDB is distributed SQL database that is also known as NewSQL. The primary design goals are scalability, strong consistency, and survivability.
5.4.1 CockroachDB on Kubernetes architecture CockroachDB implements a layered architecture. It depends directly on SQL layer, which provides familiar relational concepts such as Schema, tables, columns, and Indexes. The SQL layer in turn depends on the distributed key value store, which handles the details of range addressing to provide the abstraction of a single, massive key value store. The distributed KV store that can communicate with multiple numbers of physical cockroach nodes. Each node contains one per physical device and one or more stores. Each store contains potentially many ranges, the lowest-level unit of key-value data. Ranges are replicated using the Raft consensus protocol.
The following figure depicts the high-level architecture of CockroachDB cluster:
CockroachDB architecture logical design
For more detailed about CockroachDB Architecture, see CockroachDB design.
25 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Cloud Native Databases on Kubernetes
5.4.2 Validating CockroachDB on Kubernetes CockroachDB on Kubernetes cluster running on PowerFlex family platform was installed following the procedure in CockroachDB Helm Chart on Github.
After adding stable repository to the Helm chart, complete the following steps:
1. Specify the following parameters in the values.yaml file in addition to the default parameters for Kubernetes environment:
$ cat values.yaml storage.persistentVolume.storageClass: vxflexos
2. Install the stable/cockroachdb Helm Chart using values.yaml.
3. Deployed results are displayed as shown here:
NAME: cock-release LAST DEPLOYED: Fri Aug 2 06:21:47 2019 NAMESPACE: default STATUS: DEPLOYED RESOURCES: ==> v1/Job NAME COMPLETIONS DURATION AGE cock-release-cockroachdb-init 0/1 1s 1s ==> v1/Pod(related) NAME READY STATUS RESTARTS AGE cock-release-cockroachdb-0 0/1 Pending 0 1s cock-release-cockroachdb-1 0/1 Pending 0 1s cock-release-cockroachdb-2 0/1 Pending 0 1s cock-release-cockroachdb-init-bbmbq 0/1 ContainerCreating 0 1s ==> v1/Service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE cock-release-cockroachdb ClusterIP None
$ kubectl run -it --rm cockroach-client \ --image=cockroachdb/cockroach \ --restart=Never \ --command --./cockroach sql --insecure --host cock-release-cockroachdb- public.default
26 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Cloud Native Databases on Kubernetes
From there, you can interact with the SQL shell as you would any other SQL shell, confident that any data you write will be safe and available even if parts of your cluster fail. Finally, to open up the CockroachDB admin UI, you can port-forward from your local machine into one of the instances in the cluster: kubectl port-forward cock-release-cockroachdb-0 8080 Then you can access the admin UI at http://localhost:8080/in your web browser. For more information on using CockroachDB, please see the project's docs at https://www.cockroachlabs.com/docs/
4. Verify that the CockroachDB pods are running.
$ helm get pods
5. Verify the PersistentVolumeClaim is created for CockroachDB container.
$ kubectl get pvc
6. Verify that the volume is created using PowerFlex GUI.
Results: On examining PowerFlex UI, it is observed that 104 GB volume k8scock-138ab1de12, k8scock-146caf2fcc, and k8scock-72da9b64e1 are dynamically created and mounted to the CockroachDB pods.
Benchmarking: CockroachDB offers a built-in performance stress testing tool that is called Workload to test the performance of the deployment. The workload tool includes several load generators for simulating client traffic. For more detailed about CockroachDB benchmark tool, see TPC-C benchmark tool.
27 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Security areas for containerized workloads
6 Security areas for containerized workloads In this paper, two areas of containerized security are covered
• Storage encryption with Dell EMC CloudLink • Container security with Aquasec
6.1 Storage encryption with Dell EMC CloudLink
Data encryption should be one of important pillars of any environment’s security posture. There are a few ways to achieve this. A couple of primary ways are - encryption of the whole storage volume and encryption of individual container-volumes with CSI driver. In addition to this, CloudLink to encrypt the VMs, inside which the containers can be deployed and run.
CloudLink also allows you to manage keys either inside the CL or use an external key manager. Provided detailed information in Deploy CloudLink on PowerFlex.
6.2 Container Security dimensions with Aqua Security
We need to take a holistic view for securing ‘container workloads.’ It is critical to have both ‘pre run-time’ as well as ‘runtime’ security measures in place. As container-workloads can be of ephemeral nature, traditional practice of scanning for known malware or viruses are not enough. It is important to pay attention to all security-dimensions mentioned below. Ignoring or not paying enough attention to any of those dimensions can have huge negative impact to the workloads. Below we will look at how Security-lifecycle best-practices need to be put into place using Aqua product.
Aqua's Cloud Native Security Platform provides full visibility into container activity, allowing organizations to detect and prevent suspicious activity and attacks, providing transparent, automated security while helping to enforce policy and simplify regulatory compliance.
• Secure supply chain: Scan of registries / images from Dell EMC and application vendors. E.g. Scan of gold images from factory. This is very critical. Not securing images, will extract huge cost at the higher layers, when the workloads are deployed from vulnerable container-images. It is critical to make sure that the foundation of workloads is secure.
• Compliance: Ensure the host environment as well as images being used do not drift from expected configuration. As there is scope for bad actors to take advantage of host environment – where the containers run, it is important to maintain its integrity. Remove any unwanted packages or software from the hosted environment. This will in effect reduce the surface area of attack.
• Security Audit and Reporting: Employ pro-active regular scan of container images. As container images are built in layers, new vulnerabilities can be found in underlying components. It is necessary to pro-actively scan for any newly found CVE’s in the images that will be used for workloads.
28 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Security areas for containerized workloads
• Vulnerability assessment and Response: Plan to mitigate any vulnerabilities found. In the least, quarantine the containers and images.
• Authentication or authorization: User policy-based enforcement for hosts and containers access. Monitor file-location changes that are not authorized. Also monitor network traffic by Dynamic threat analysis.
• Secure development: Encourage developers to use best practices around containers with CI/ CD pipeline with security modules built in (DevSecOps).
29 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Deploy CloudLink on PowerFlex
7 Deploy CloudLink on PowerFlex
7.1 Prerequisites
Ensure that the following prerequisites are met before containers are added to your Kubernetes cluster.
1. Make the PowerFlex driver plug-in available in Kubernetes so that your cluster can mount PowerFlex.
You can download Dell EMC PowerFlex CSI driver from https://github.com/dell/csi-PowerFlex.
2. Create a local or custom Docker Registry that is accessible from the remote servers that are used as hosts for Kubernetes. 3. Install Kubernetes version 1.14 or greater. 4. Configure Kubernetes with a multinode cluster. 5. Install Kubectl on a server with network access to the Kubernetes cluster. 6. Install Helm on a server with network access to the Kubernetes cluster. 7. Prepare Kubernetes nodes by deploying sdp-runner daemon on every Kubernetes worker node.
For instructions on deploying sdp-runner daemon, see the README.md provided in the CloudLink Kubernetes Node Plug-in and Dockerfile in CloudLink Center.
8. Install and configure CloudLink Center. 9. Upload the encryption for Containers license to CloudLink Center. 10. Install PowerFlex SDC on all the Kubernetes worker node. 11. Create your own namespace and deploy containers and the secret.yaml file in the namespace you created.
7.2 Deploy and configure CloudLink encryption for Containers on PowerFlex
Follow the step below to deploy and configure CloudLink encryption:
1. Create a Kubernetes cluster entry in CloudLink Center and use this procedure to create a Kubernetes cluster entry in CloudLink Center. 2. Build docker images for the Kubernetes node and controller 3. Install containers CSI plugins (PowerFlex CSI and Cloud Link CSI) 4. Attach PowerFlex volumes to workloads
For detailed configuration procedure, see CloudLink deployment guide 7.0.
30 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Deploy CloudLink on PowerFlex
7.3 Post deploy CloudLink encryption for containers on PowerFlex
You can use either UI or CLI to perform the post deployment tasks.
UI method:
Go to CONTAINERS list and perform the following steps:
1. Add Kubernetes clusters.
2. Nodes are discovered.
3. View the provisioned volumes.
31 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Deploy CloudLink on PowerFlex
CLI method:
By using CLI, you can view the two types of storage classes that are created: encrypted and plain (non encrypted).
Results: The results shows the storage class of CloudLink is deployed, and we can start deploying the container with CloudLink encryption.
32 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Deploy Aquasec on PowerFlex
8 Deploy Aquasec on PowerFlex
8.1 Prerequisites
• Aquasec credentials: username and password • Aquasec enterprise License token • Access to the target Kubernetes cluster through kubectl
8.2 Deploy Aqua Enterprise in your cluster
1. Create namespace and docker registery:
kubectl create namespace aqua
kubectl create secret docker-registry aqua-registry --docker- server=registry.aquasec.com --docker-username=
kubectl apply -f httpps://raw.githubusercontent.com/aquasecurity/deployments/5.3/orchestrator s/kubernetes/quick_start/aqua-csp-quick-default-storage.yaml
2. Access the Aqua Enterprise console on Kubernetes Native to get external IP of the console.
kubectl get svc -n aqua
3. Access aqua web service from your browser, once it is ready
http://
For detailed procedure, see Quick-Start Guide for Kubernetes.
After successfully deploying Aqua on PowerFlex, sign in to view and configure the dashboards as per your requirements.
33 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Deploy Aquasec on PowerFlex
8.2.1 Dashboard The Aqua Enterprise dashboard is a 'single pane of glass' that summarizes the security posture of your assets and security risks.
The dashboard is composed of widgets; each widget presents a different kind of security-related information. It is easy to configure the dashboard by adding widgets from the widget gallery and optionally changing their spatial position on the dashboard.
Dashboard
8.3 Container security dimensions
Aquasec helps Dell EMC container security dimensions by Secure supply chain, compliance, secure audit and reporting, vulnerability assessment and response, authentication and authorization, Secure development and network segmentation. This section explains these benefits in detail.
8.3.1 Secure supply chain Aqua Enterprise provides full lifecycle security for containerized applications running on Linux or Windows hosts. The overall goal of full container lifecycle security is the deployment of applications that ensure the security of your applications' operations, data, and computing infrastructure.
Aqua Image Assurance covers the first part of the container lifecycle: image development. The Image Assurance subsystem detects, assesses, and reports security issues in your images.
Aqua Enterprise is able to integrate with any CI/CD tools such as Jenkins, Azure DevOPs, Circle CI. As the application is being build within a CI/CD tool, Aqua Enterprise is a step in that process and is able to scan the image at build time. This way the developer will get real time results on any vulnerability issue found during the build process. In addition, Aqua Enterprise is also able to connect to any docker image registry such as
34 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Deploy Aquasec on PowerFlex
Jfrog Artifactory, or any of the cloud provider container registries. Aqua Enterprise supports all major container registry as well as any registries that relies on the docker v1/v2 protocols.
It is important to have images that are from a trusted source. Either use a private registry with hardened images or use images from a docker-trusted-sources.
The following image displays Aqua Enterprise scan results of images:
Image Scan
Providing a sample scan output during the CI/CD process using Jenkins:
CI /CD
8.3.2 Compliance Center for Internet Security (CIS) maintains several sets of benchmarks to help organizations assess cyber- security threats. These benchmarks are based on an industry consensus of well-defined best practices.
Aqua Enterprise using the Aqua Enforcer checks host compliance for CIS Docker, Kubernetes, and Linux benchmarks.
35 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Deploy Aquasec on PowerFlex
In addition, Aqua can check for user defined custom compliance checks, using the Custom Compliance Checks control which is included in the Host Assurance Policy.
Aqua Enterprise has been certified by CIS Benchmarks™ to compare the configuration status of Kubernetes clusters against the consensus-based best practice standards contained in the CIS Kubernetes Benchmark. Organizations that leverage Aqua Enterprise can now ensure that the configurations of their critical assets align with the CIS Benchmarks consensus-based practice standards.
CIS benchmarking
8.3.3 Security audit and reporting Aqua Enterprise maintains an audit log of several kinds of events: both normal and those indicating security exposures. Reviewing the audit log is often essential for understanding and mitigating security problems in your environment.
Audit Record
36 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Deploy Aquasec on PowerFlex
Aqua can be integrated to send event notifications to many third-party tools such as Pager Duty, and Slack.
In addition, Aqua Enterprise can be configured to send audit logs too many SIEM tools like Splunk, AWS Cloudwatch, SumoLogic to name a few.
8.3.4 Vulnerability analysis and response Aqua Enterprise scanning will provide a detail report on all vulnerabilities and security policy violations found on images during a scan. Aqua Enterprise can identify a number of operating system packages and programming language components vulnerabilities.
The Aqua Enterprise vulnerability report will provide the severity of the vulnerability, if there is a vendor fix available, if there is an exploit available for that vulnerability, and the ability to acknowledge a particular vulnerability.
In addition, Aqua Enterprise can provide mitigation control on certain vulnerabilities using the Vshield option.
Vulnerability Report
37 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Deploy Aquasec on PowerFlex
Dynamic Threat Analysis
Aqua Security’s Dynamic Threat Analysis (DTA) is an add-on capability to Aqua Enterprise scanning capabilities. DTA dynamically assesses the risks that container images pose before they are run as containers in a live environment. DTA runs container images in a safe and isolated sandbox environment and monitors behavioral patterns and Indicators of Compromise (IoCs) such as malicious behavior and network activity, in order to detect container escapes, malware, cryptocurrency miners, code injection backdoors, and additional threats.
Assurance Policy
DTA
38 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Deploy Aquasec on PowerFlex
Realtime Protection
Aqua is able to enforce the immutability of containers by preventing changes to a running container vis-à-vis its originating image. This easy-to-use feature can prevent a large array of attack vectors, including zero-day attacks. Additional runtime controls can be used to detect and stop suspicious behaviors such as port scanning, connecting to IP address with bad reputation, and Fork Bomb denial of service attacks.
Runtime Policy
39 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Deploy Aquasec on PowerFlex
Runtime Container Policy
40 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Deploy Aquasec on PowerFlex
8.3.5 Authentication Aqua provides a number of ways to authenticate the Aqua console. Aqua Enterprise can use Basic authentication, were the users and roles are defined within Aqua. Aqua can also supports several SSO mechanisms, such as Microsoft ADFS, OKTA and others. Aqua also supports OpenID Connect, LDAP, Active Directory and OAuth2 methods.
Authentication configuration
41 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Deploy Aquasec on PowerFlex
8.3.6 Secure development Best practice is to integrate Aqua early on within the CI/CD Process. This way, Aqua can identify any potential vulnerabilities early on and while the application is still in the hands of the developer.
CI/CD Report
8.3.7 Network segmentation Aqua Enterprise provides the ability to provide Firewall policies to containers and hosts (VMs). The firewall can determine what a container or hosts are allowed to communicate with and what is allowed to communicate with the container or host.
The policy can be built manually, or interactively by recording actual live traffic of deployed workloads.
Aqua security firewall solutions can be deployed in a service mesh environment, whether it’s based on Istio and Envoy proxies, or Conduit and LinkerD proxies. The security solutions are transparent to the service mesh environment and the container firewall rules can be used to enforce network security rules in parallel with Envoy or LinkerD policies.
42 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Deploy Aquasec on PowerFlex
Network segmentation
43 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Conclusion
9 Conclusion This paper concludes that Cloud Native databases perform well on Dell EMC PowerFlex family platform with Kubernetes and security dimensions. It allows extreme scalability and flexibility for next generation containerized applications and their workloads. It also provides detailed usage of CSI driver in achieving persistent storage for stateful applications and dynamic volume creation, snapshots, deletion in PowerFlex storage system. For this validation, YSCB and TPC-C like benchmarking tools were used to verify the read and write transactions achieved specified time period each database. Securing the Cloud Native databases workloads with security lifecycle best practices in cloud native infrastructure.
44 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Appendix
A Appendix
A.1 Configuration details
PowerFlex storage-only nodes
Hardware Configuration
CPU Cores 2 x 8 Intel® Xeon® Gold 6134 CPU @ 3.20 GHz
Memory 12 x 16 DDR4 NIC 2 x MLNX 25GbE 2P ConnectX4LX Adpt 1 x Intel® 2P X710/2P I350 rNDC Storage BOSS S1 Controller 2 x 120 GB SATA SSD Dell HBA330 controller 6 x 3.84 TB SAS SSD operating system RHEL 7.6 Firmware Version 3.21.26.22 PowerFlex (VxFlex OS)* 3.0.1
*Note: VxFlex OS rebranded as PowerFlex from version 3.5.
PowerFlex compute-only nodes Hardware Configuration CPU Cores 2 x 8 Intel® Xeon® Gold 6134 CPU @ 3.20 GHz
Memory 12 x 16 DDR4 NIC 2 x MLNX 25 GbE 2P ConnectX4LX Adpt 1 x Intel® 2P X710/2P I350 rNDC Storage BOSS S1 Controller 2 x 120 GB SATA SSD Dell HBA330 controller 6 x 3.84 TB SAS SSD Hypervisor ESXi 6.7 Firmware Version 3.21.26.22 PowerFlex 3.0.1
45 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Appendix
A.2 Deployment details
Kubernetes deployment details
Components Items Details
Hardware Virtualized Hardware vSphere 6.7 CPU 2 vCPU RAM 4 GB Hard Disk 40 GB NIC VMware Virtual NIC Software Operating System Centos 7.6 Container Runtime Docker 1.19 Kubernetes v1.14 CNI Plugin Flannel
46 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058
Technical support and resources
B Technical support and resources
• Dell.com/support is focused on meeting customer needs with proven services and support. • Storage technical documents and videos provide expertise that helps to ensure customer success on Dell EMC storage platforms.
B.1 Related resources
Note: Few links might require registration to access.
• PowerFlex Overview • CSI Driver for PowerFlex Product Guide • Kubernetes components • Flannel CNI plugin • Kubernetes CSI Developer Documentation • MongoDB Helm chart • YCSB benchmark on MongoDB • Cassandra Architecture • Cassandra Helm chart • PostgreSQL components • PostgreSQL Helm chart • CockroachDB Helm chart
47 Cloud Native Databases with Kubernetes Persistent Storage on Dell EMC PowerFlex family | 000058