Mirantis OpenStack for Kubernetes 23.1 improves networking, security, user experience
Today Mirantis is proud to announce the release of Mirantis OpenStack for Kubernetes 23.1 (MOSK). This release includes significant security improvements out of the box, as well as full support for Tungsten Fabric to provide advanced network capabilities, an improved user experience, and for more technical users, the ability to customize their OpenStack deployment to more closely match their unique needs.
Tungsten Fabric 21.4: The Latest in Telco Network Virtualization for MOSK
As part of its commitment to delivering the latest and greatest in cloud technology, MOSK now fully supports Tungsten Fabric 21.4 as a networking back end for new and existing clouds. Existing MOSK deployments using Tungsten Fabric will be automatically updated to this new version during the cluster update to the 23.1 release to ensure that they can take advantage of the latest features and capabilities.
One of the key highlights of the Tungsten Fabric 21.4 version is support for configuring the Maximum Transmission Unit (MTU) for virtual networks. With this capability, you can set the maximum packet size for your virtual networks, ensuring that your network traffic is optimized for performance and efficiency.
Another notable feature of Tungsten Fabric 21.4 is the improved Long-Lived Graceful Restart, which is particularly helpful for edge architectures. It allows for faster and smoother network convergence in the case of a network failure or maintenance activity.
Advanced load balancing for Tungsten Fabric
Mirantis OpenStack for Kubernetes now also offers a technical preview of advanced load balancing with Tungsten Fabric. This update replaces the old implementation, which relied on the Tungsten Fabric-controlled HAproxy, with a new approach that enables OpenStack Octavia/Amphora components to work on top of Tungsten Fabric.
Firstly, the new approach provides full compatibility with the standard OpenStack load-balancing API. This means that cloud users can use the same API and features regardless of the network backend in use, simplifying the onboarding of the workloads to their cloud.
Secondly, the advanced load balancing feature enables users to configure layer 7 load balancing policies. These policies enable cloud applications to distribute traffic based on specific rules and criteria, such as URL, cookies, headers, or other application-level data. This enables MOSK to handle application traffic efficiently and improve the performance of applications. For example, an e-commerce website may use layer 7 load balancing policies to distribute traffic based on the user's location or device type. This ensures that users are served by the closest or most appropriate server, improving the website's performance and user experience.
Thirdly, the new approach supports HTTPs/TLS-terminating load balancers, in conjunction with the MOSK Key Manager service (OpenStack Barbican) providing centralized management and control over SSL/TLS certificates. This ensures that all SSL/TLS certificates are up to date, reducing the risk that the system will use expired or compromised certificates.
Finally, in addition to TCP-based load balancing, OpenStack Octavia also supports the UDP protocol, enabling users to handle a wider range of network traffic and manage certain types of cloud applications more effectively.
Whether you're a large enterprise or a small business relying on Tungsten Fabric as the networking backend for OpenStack, this feature can help you improve the performance, reliability, and security of your cloud workloads.
Dynamic configuration of resource oversubscription
One of the new additions to MOSK is support for the modern practice of dynamic configuration of resource oversubscription. With this new feature, cloud administrators can seamlessly set a compute node's CPU, RAM, and disk overcommit ratios via the OpenStack Placement API without restarting the components of the OpenStack control plane. This capability means that administrators can adjust resource oversubscription settings on the fly, without causing any downtime or disruption to their cloud environment.
This release of Mirantis OpenStack for Kubernetes includes a great number of security improvements.
Automated rotation of OpenStack service account credentials
Mirantis OpenStack for Kubernetes 23.1 has introduced an automated rotation for OpenStack super-admin and service account credentials. This new procedure enables operators to regenerate and propagate new passwords quickly and with minimal impact on the cloud. All a cloud operator needs to do is execute a single command and MOSK creates a new set of credentials, configures them across the cloud control plane, and restarts the corresponding services for the change to take effect.
This feature is particularly useful for cloud operators who are required to update system passwords regularly. By automating the secret rotation process, Mirantis OpenStack for Kubernetes simplifies making sure a cloud complies with enterprise security policies for strong password protection of infrastructure components.
OpenStack access policy set to restrict the privileges of the project admin role
In multi-tenant environments, security and resource isolation are critical concerns for cloud operators. The default policy set in upstream OpenStack, however, can pose challenges, as it grants project administrators superuser permissions that allow them to manipulate cloud resources outside their projects. But because some manipulations needed for day-to-day cloud application management still require power user permissions, leaving all cloud users as just members of their projects is not a feasible solution either.
At Mirantis, we recognize that many of our customers are struggling with the default policy set and need to ensure that applications and their owners are strictly isolated from each other. To help address this challenge, we are proud to announce a new validated policy set in our Mirantis OpenStack for Kubernetes that restricts project administrators exclusively to their projects, allowing only global administrators and service users to have unlimited access to the cloud. The new policy set needs to be turned on explicitly to take effect.
Other security improvements
When it comes to cloud computing, security should be a top priority. With so much sensitive data being stored and transferred in the cloud, it's essential that the right security measures are in place to protect it.
One of the essential security features offered by MOSK 23.1 is the encryption of VM console traffic. When turned on, this feature prevents hackers from intercepting the VNC data sent between compute and controller nodes. It's a typical compliance requirement to have in-cloud networking secured as much as the communication between users and the cloud. By adding encryption, MOSK ensures that its operators’ data is protected from prying eyes.
Another important security feature is the ability to hide OpenStack configuration parameters in Kubernetes secrets. This feature ensures that no credentials or secret data are going to be exposed when sharing or backing up cloud configuration. In the future, when encryption is enabled for secrets in the Kubernetes underlay, this feature will become even more useful.
Mirantis is committed to pursuing a vulnerability-free status for our products. In addition to the above security features, in the latest release, we addressed 79 critical vulnerabilities in our MOSK and Mirantis Container Cloud (MCC) components, ensuring that our customers' data is safe from potential threats. While not all of these vulnerabilities were exploitable, the fact that Mirantis takes security so seriously is reassuring to our users.
Learn How to Build Your First Cloud Application with OpenStack
Are you new to OpenStack and looking to build your first cloud application? Look no further than the new tutorial offered by Mirantis. The tutorial is designed to help beginning users learn how to make the best of OpenStack and accelerate the process of onboarding their cloud workloads.
The tutorial guides you through the process of deploying and managing a sample application using popular automation tools, OpenStack's built-in Orchestration service (OpenStack Heat), and HashiCorp Terraform. By following the instructions, you'll learn the powerful capabilities of OpenStack in general and MOSK in particular.
The sample application suggested by Mirantis is a typical web-based application consisting of a front end that provides a RESTful API situated behind the cloud load balancer (OpenStack Octavia) and a back-end database that stores data in the cloud block storage (OpenStack Cinder volumes). By starting with a pre-built application, you can focus on learning the ins and outs of OpenStack without worrying about building a complex application from scratch.
Once you have the sample application up and running, you can extend it to make use of the advanced features offered by MOSK. With the powerful capabilities of OpenStack at your fingertips, you can build complex, scalable applications that meet the needs of your business.