-
Notifications
You must be signed in to change notification settings - Fork 4
Future Challenges
The goal of building a globally distributed Kubernetes cluster will present us with a great deal of challenges. Not all such challenges will be immediately pertinent to the stage of the project which we are actively focused on. This page serves as a brainstorming ground for potential problems which we may want to think about, but won't be faced until the mid-to-distant future.
We ultimately want a overlay network that supports both network policy and node-to-node TLS. As of September 2016, 3 such backends support network policy.
- Romana
- Calico
- Canal
Amongst these 3:
- Romana DOES NOT APPEAR to support TLS
- Calico DOES NOT support TLS
- Canal is a special snoflake; not a unique overlay solution itself, it is simply a deployment pattern for using the network policy capability of Calico with the transport capability of flannel. This should provide inter-node TLS and policy support, but leaves us to figure out the question of etcd communication
A known backend that DOES support TLS (and is the default backend configured by the kubernetes contrib ansible playbooks) is Flannel, though is DOES NOT support network policy
In an eventual cluster where compute resources can be donated from anywhere, we will inevitably need to address the problem of ensuring nodes can join the cluster from behind NAT gateways. Some deeper research is needed into Kubernetes architecture to identify the potential problem points, and possible solutions.
One of the forward-looking challenges with the leading networked storage solutions (namely Ceph, NFS) is that are designed only to solve the problems in their to their problem domain, i.e., storage. Securing networked communication between the storage backends and their clients is not part of that problem domain.
- So far, the only thing I can think of is we would need some sort
of node -> node overlay network which handles encrypting packets.
- This would inevitably translate to poor throughput. Potentially a very bad look for storage backends.