Shulou(Shulou.com)06/02 Report--

The picture was taken in Monterey, California: early morning in the Pacific Ocean

VMware's latest product, vSphere 7, has been officially released, dedicated to building a modern application platform, which has attracted the attention and expectation of users. This article takes you to an in-depth understanding of the native Kubernetes features of vSphere 7. Welcome to read. (this article only represents the personal views of the author. )

VMware introduced the cloud native combination Tanzu and Pacific Project (Project Pacific) at VMWorld last year. On March 11th, VMware released the most important version in nearly a decade: vSphere 7, which contains many new features. One of the most eye-catching updates is the vSphere with Kubernetes (VwK) function, which natively supports the Kubernetes platform and realizes the mixed management of virtual machines and containers, making vSphere a new modern application development operation and maintenance platform.

VSphere with Kubernetes, the former Pacific Project, has reconstructed vSphere in many ways, introducing the concept and architecture of Kubernetes, which is application-centric and allows developers and operators to use the system from different views, bringing landmark innovation.

VwK has been pregnant within VMware for more than 3 years, with far-reaching goals and huge projects. Joe Beda, the co-founder of Kubernetes, directly directed it and hundreds of elite engineers put into research and development. Now it has finally arrived as promised and launched.

Let's take a look at the details of vSphere with Kubernetes.

Transformation from vSphere cluster to Kubernetes cluster

VSphere with Kubernetes is a feature option in vSphere 7, which the administrator can enable in vCenter, and then select the vSphere cluster to activate the VwK function.

When VwK is enabled, three virtual machines are deployed in the vSphere cluster, each of which deploys Kubernetes's Master node to form a highly available local control plane (Local Control Plane), and then runs a Kubelet process (called Spherelet) in the kernel of each ESXi node, making ESXi the Worker node of Kubernetes. After this transformation, the vSphere cluster is gorgeously transformed into a Kubernetes cluster supporting modern applications. This vSphere cluster is called "Supervisor Cluster" (supervisor cluster).

Transform vSphere cluster into Kubernetes cluster

One of the advantages of converting a vSphere cluster into a Kubernetes cluster is that the system service can run on top of the supervisor cluster, so that the lifecycle management of system services such as upgrade and restart can be carried out in accordance with the Pod mode of Kubernetes, which is more flexible; at the same time, it has the characteristics of good isolation, high security, HA protection and so on.

The system services provided by vSphere 7 are collectively referred to as VMware Cloud Foundation (VCF) services. It can be divided into three categories.

Services in charge of the cluster (* experimental function, * * roadmap function)

The first category is the Tanzu runtime service, which mainly consists of Tanzu Kubernetes Grid (TKG) services. The TKG service is used to manage user-mode Kubernetes clusters, called Tanzu Kubernetes Cluster (TKC), which can be used to run users' applications. Before deploying the TKC cluster, TKG first creates the virtual machine that makes up the TKC cluster. After the virtual machine starts, the Kubernetes node is deployed by the Kubeadm program preset in the virtual machine template. When all virtual machines become Kubernetes nodes, the cluster deployment is complete.

The second category is hybrid infrastructure services that provide the infrastructure needed by Kubernetes, such as virtual machines, storage, networking, image repositories, and vSphere Pod. These services enable TKC to access infrastructure resources through standard interfaces such as CNI, CSI, and so on.

The third category is customized services, which are developed and deployed by partners or users, and the principle is the same as the first two. This release of vSphere does not support such services for the time being and will be provided in subsequent versions.

Introduction to VCF Service (59 seconds)

VCenter API to Kubernetes API

After the above refactoring, the supervisor cluster is somewhat similar to the Kubernetes cluster. To achieve a perfect likeness, there is another key step: support Kubernetes's API. To this end, VwK encapsulates and improves vSphere API to present Kubernetes API to developers.

This vSphere version of Kubernetes API comes out of the blue. In addition to managing Pod, it can also manage all the infrastructure resources of vSphere, such as virtual machines, storage, network, container images, and so on.

The secret here is due to the declarative interface of Kubernetes and the extended form of CRD (Custom Resource Definition). Infrastructure resources can be represented by CRD, such as the network, storage, TKC, and so on, all have corresponding CRD.

Users only need to write a file in yaml format (a concise text file), declare the required CRD resources, and use the kubectl command to create and maintain vSphere resources.

Example of a yaml file used to create a virtual machine

Students who are familiar with Kubernetes know that a better way to manage CRD resources is through the Operator mode. Operator is actually a program that runs on Kubernetes and is responsible for managing the life cycle of specific CRD resources. In the supervisor cluster of vSphere, a lot of Operator are running, which are responsible for the management of cluster, virtual machine, network, storage and other resources.

Because Operator is an open source and open architecture, partners can also develop customized Operator to achieve richer features. It will be mentioned later.

Add CRX to run vSphere Pod

Now that vSphere provides Kubernetes API, the question is: can vSphere run Pod directly? The answer is yes. Note: Pod is the smallest unit unique to Kubernetes to run applications, which consists of one or more containers. )

In vSphere 7, ESXi has a built-in container runtime (runtime) called CRX:Container Runtime for ESXi. When CRX runs Pod, it creates a virtual machine, and then starts a tiny Linux kernel in the virtual machine, about 20-30MB. Then mount the file system of the container image to the virtual machine, and finally execute the application in the image. This launches an application of Pod.

Pod running with CRX runs in a lightweight virtual machine called vSphere Pod (formerly known as PodVM). VSphere Pod is generated as a virtual machine, which has higher isolation and better security than Linux Container-based Pod. Another benefit is that the Windows container can be supported at the same time, which Linux Container cannot achieve.

Architecture of ESXi native Pod

The yellow part of the image above is the CRX-based vSphere Pod. At the time of creation, the Kube Proxy of NSX updates the network synchronously, and the storage CNS synchronizes the creation of VMDK to bind the PV (Persistent Volume) required by vSphere Pod.

Do you have a sense of deja vu about vSphere Pod? Yes, VMware's previous product VIC and the open source project Kata Containers have adopted technologies similar to lightweight virtual machine loading containers. After several years of accumulation, it has developed into a relatively mature technology.

Most of the core engineers who have participated in the VIC project continue to fight in vSphere 7. VIC supports Docker API and single containers, while vSphere with Kubernetes supports Kubernetes API and Pod (but multiple containers).

TKC cluster (application cluster)

The supervisor cluster (supervisor cluster) described earlier can directly use Kubernetes API to manage the resources of vSphere and can run Pod. However, it should be pointed out that the supervisor cluster is not fully Kubernetes API compliant, for example, privilege (privileged) pod cannot be used in the supervisor cluster. Second, the Kubernetes version of the supervisor cluster is relatively fixed and is unlikely to be upgraded frequently. Also, there is only one supervisor cluster per vSphere cluster, and different versions of Kubernetes cannot be used in multi-tenant scenarios.

TKC cluster

To do this, VwK provides a Tanzu Kubernetes Cluster (TKC) cluster, which is managed by the TKG service described earlier. To put it simply, it is a Kubernetes cluster deployed in a virtual machine, and complies with the CNCF Conformance authentication standard, and can be compatible with applications running on Kubernetes. The TKC cluster can directly use the VCF service built into the supervisor cluster, and it is very convenient to obtain resources such as Load balancer,PV.

The TKG service uses the Cluster API open source project of the Kubernetes community. Cluster API embodies the idea of "managing Kubernetes with Kubernetes", that is, users submit the cluster specification to be created in the form of CRD to a Kubernetes management cluster, which maintains the life cycle of the target cluster according to CRD. Cluster API supports a variety of cloud service providers in a provider way. In vSphere 7, the supervisor cluster (Supervisor Cluster) is the management cluster, and there is only vSphere provider.

Cluster API: managing K8s with K8s

Namespace (Namespace) Application View

Key points of namespaces (58-second video)

As mentioned earlier, VwK provides a separate view of the application, called Namespace (namespace). Namespace is a widely used concept in computer science, which is used to distinguish different logical functions or entities, such as namespace in programming language, namespace in Linux, namespace in container registry and so on. VwK draws lessons from and extends the concept of virtual cluster divided by Kubernetes (namespace) in the supervisor cluster.

The relationship between Namespace and Supervisor Cluster and SDDC

The namespace of Kubernetes logically isolates the application and forms a virtual cluster. The advantage is that each namespace can set resource management policy separately, such as unified control network access policy.

VwK adds namespace to the supervisor cluster, which can include resources such as containers, virtual machines, and vSphere Pod. The resources required for the application, such as Pod and virtual machines, are collected under a single namespace. Because Namespace is an application-oriented logical unit, we only need to configure Quota, HA, DRS, network, storage, encryption and snapshot policies on namespace to control all virtual machines, Pod and other resources of the application, which greatly facilitates operation and maintenance management.

Namspace on the user interface (left navigation bar)

From a technical implementation point of view, when an administrator creates a namespace, vSphere automatically creates a corresponding resource pool (Resource pool) in the background, corresponding to all the resources in the namespace. After that, the management and control of namespace is essentially a resource pool operation.

Namespace is supported by Resource pool

Namespace is an innovation of VwK, which defines the boundary between administrators and developers, implements application-oriented management, and improves the development efficiency of new applications. After the administrator creates the namespace in vCenter, it can be handed over to the developer to use. Developers use Kubernetes API to create resources such as virtual machines, vSphere Pod, or Kubernetes clusters (TKC clusters) needed for applications in namespace, without the intervention of administrators. Administrators only need to manage namespace's resource strategy, and even if the development team calls the shots and turns the world upside down, the administrator can rest easy.

Built-in Harbor Registry

Harbor Registry users in China are no stranger. VwK's image warehouse service is provided by the Harbor Open Source Mirror project to ensure image security and improve performance. When creating a namespace, a Harbor project will be created to provide the mirroring service under the namespace. This design concept has been conceived by our team for a long time, and now it is finally embodied in vSphere.

Everything is served.

Joe Beda, co-founder of Kubernetes, said a classic saying: "Kubernetes is the platform of the platform and can be used to build new platforms." This sentence profoundly clarifies the positioning and design concept of the product by the creators of Kubernetes. Kubernetes can manage not only container orchestration services, but also other services, such as databases, functional services, artificial intelligence services, and so on.

This concept is fully reflected in vSphere with Kubernetes: the vSphere platform can build all kinds of services (XXX as a Service). We only need to deploy the Operator of a specific service in the supervisor cluster, and we can use the Operator to operate and maintain the corresponding service.

The supervisor cluster becomes the control plane and can manage a variety of services.

The TKC cluster mentioned above is essentially Kubernetes as a Service, and its Operator is already built into the supervisor cluster. Similarly, we can also deploy Operator of VM as a Service, MySQL as a Service and other services to achieve the purpose of managing these services.

Operator is an open architecture, and partners can develop services with various functions, deploy and run in the supervisor cluster, which will make the ecosystem around vSphere blossom and become a veritable "platform platform".

VSphere with Kubernetes transforms vSphere into a new generation of modern application platform that changes the rules of the game, which is undoubtedly the brightest component in the combination of VMware Tanzu.

VMware this new product release also includes Tanzu suite, VCF 4 and other products. You can follow the official website, or pay attention to the author's follow-up article introduction.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.