At KubeCon, CloudNativeCon 2019 held in San Diego this year, Rajarajan Pudupatti, Cloud Platforms Architect at Fidelity Investments and Alexis Richardson (@monadic), CEO of Weaveworks delivered a practical use case and an explanation of how Kubernetes and GitOps was successfully implemented into a large financial organization.
What are the challenges of implementing Kubernetes?
Alexis Richardson started us off with the challenges of implementing Kubernetes in a highly regulated environment. Fidelity investments is one of the largest financial asset managers in the world. As such, every application must meet a unique mix of regulatory, security and governance requirements to protect customers.
Kubernetes was chosen by Fidelity for cloud application delivery. They teamed up with AWS and Weaveworks to use GitOps as a method and workflow to implement a compliant platform.
Challenge: How does Fidelity take advantage of Kubernetes and its open source ecosystem to deliver a cloud native application platform in a highly regulated environment for its various business units?
The regulatory environment - some examples
According to Alexis, since each change is checked and audited, it’s difficult to automate and maintain velocity. New tools such as Elastic Container Registry may be restricted in such an environment. Also, if you want to use DevOps and apply GitOps, production may be locked down because of these extra audit checks.
Other problems that crop up in a regulated environment that can prevent your team from moving faster:
- Systems may not be logically configured
- Developer and SRE favoured tools may not be allowed and this can slow you down
- Organizational practices are not always “cloud native”
Move to the cloud
The move to the cloud means that Fidelity’s team can go faster. Instead of building datacenters and running that infrastructure themselves, they can have others operate and manage services. They chose Amazon first, but in the future they plan to span all public clouds.
Build a platform
Fidelity runs on Kubernetes, but they do not run directly on it. Instead they built an application platform that includes AWS services, but also a number of native Fidelity applications that for example maintain security.
Plan for the future
With a platform in place, Fidelity can plan for innovative tools that facilitate things like machine learning, and big data financial analysis or even a mobile platform.
Spinning up a cluster is easy, configuring and managing a cluster toolchain is difficult
Booting a Kubernetes cluster is dead simple these days. But managing and automating an application platform is difficult. Running and implementing a machine learning stack or a finance stack and making it safe, reproducible and auditable is challenging.
You want cattle, not pets
The reason why managing these types of stacks is difficult is that everyone configures these apps and add-ons slightly differently. When you need a consistent toolchain that can be spun up consistently across Development, QA and Staging environments, configuring this manually can slow down the team and cause errors, if you have not automated this in a repeatable way. In the worst case scenario, without automation and control you can end up with set of snowflake clusters that are impossible to maintain.
Introducing FIDEKS - Finance grade cloud native application platform @ Fidelity
Raja then explained how they built a platform to abstract away Kubernetes itself while still maintaining regulatory compliance and fostering innovation across their teams. The platform they built to operate and manage applications on EKS uses GitOps and Flux CD as the underlying architecture.
FIDEKS - an augmented Kubernetes platform
The FIDEKS platform adds managed core capabilities on top of Kubernetes. These core capabilities or add-ons are delivered and managed with GitOps.
For example, tenancy management is one capability that may need to be in more than cloud. The developer experience for managing these namespaces should be the same across all environments.
Rollouts for all cluster updates are managed with GitOps. Fidelity maintains a centralized Git repo where all of the various FIDEKS platform versions are kept and used by their end users. This base platform allows for business units to build their own customizations and variations on top.
The Fidelity platform looks like the following:
Kubernetes sits on top of the infrastructure layer. In AWS and Azure Fidelity uses the managed control plane. The Core Capabilities layer are the add-ons such as multitenancy, Security, DR, Logging, etc. kept in Git, which the business units can use and add their toolchain to from the Domain Specific layer.
GitOps workflow for multi-tenancy management
This is the workflow for add-on management for Kubernetes platforms.
What is GitOps?
GitOps is a standardized workflow for how to deploy, configure, monitor, update and manage Kubernetes infrastructure-as-code.
The core idea of GitOps is having a Git repository that always contains declarative descriptions of the infrastructure currently desired in production environment and an automated and secure process to make the production environment match the described state in the repository.
Consistent and reproducible clusters with GitOps and WKP
Not only is GitOps an effective and safe way to automate application deployments, but the same underlying technology in Flux, developed by Weaveworks, and later donated to CNCF has been extended to both cluster and platforms as well.
This is a two step process. The cluster and it’s add-ons are configured and kept in Git as a “base cluster”. Then the business units who require additional tooling can define “profiles” that allow them to add the tools they need to the underlying consistent cluster configuration. All of this is kept in Git and therefore trackable, auditable for consistent and reproducible cluster platforms.
View this talk in its entirety to find out more about how Fidelity set up a platform with Weave Kubernetes Platform: