Reducing Kubernetes tool sprawl: Tietoevry uses Cilium and Hubble
Tietoevry uses Isovalent Enterprise for Cilium with Hubble to have advanced network policies (DNS!), reducing Kubernetes tool sprawl, and get the necessary insights to monitor the various SLAs.
Cilium can be crucial for platform maintainers: since it already is so powerful, there are fewer different pieces of a puzzle you have to install into the cluster. You don’t need an extra Ingress or Service Mesh.Endre Karlson, SRE Tietoevry Industries
Tietoevry presenting their use cases
If you prefer to watch David and Endre from Tietoevry presenting their use cases themselves, watch the recording of our webinar!Watch now
Tietoevry Industry specializes in segment-specific software and data platform services. Tietoevry Industry’s close to 1600 experts are digitalizing business-critical processes for enterprises and the public sector. They are powering large parts of society through their software and data platform services, ensuring business continuity and modernization for companies and organizations within industry segments such as public sector, Education, Pulp, Paper & Fibre, and Energy & Utilities.
One of the businesses of Tietoevry Industries is to facilitate access to government assets, like the national population registry. For example, if someone needs a loan from a bank to buy a car, the bank can request personal data about this individual from the registry via the applications built and managed by Tietoevry.
Situation & Challenge
Tietoevry Industries build and maintain Kubernetes platforms for internal usage. The clusters run on various platforms, from VMware Cloud Director (vCD) to Azure Kubernetes Services (AKS) to bare metal. In addition to cluster management, Tietoevry Industries also helps the application owners with implementing CI/CD pipelines, deploying and troubleshooting applications, and exposing the apps to the outside.
To connect and secure these clusters across these heterogeneous environments, the SRE team needed a Container Networking Interface (CNI) that would be fast, but that would also offer more comprehensive features:
- The Kubernetes tool sprawl problem was an issue in past use cases, where an ingress or service mesh required the installation and operation of additional tooling.
- There were a lot of external services that required access to be governed by policies. Maintaining long lists of IPs for these services was cumbersome.
- Network observability was key: Tietoevry Industries needed to be able to pin-point who was responsible if SLAs were to be breached. Monitoring of TCP latency, multi-cluster connectivity, and DNS usage was essential.
- Given the nature of Tietoevry Industries’ business, Zero Trust is a must. Tietoevry Industries was looking for a way to easily start with a deny-all model and build the policies from there, in a user-friendly and easy-to-understand way.
- At the same time, the app owners should be able to troubleshoot on their own, easing the burden on the SREs.
- Last but not least, a lot of traditional, monolithic apps had to be migrated to Kubernetes and modernized along the process. This required key insights into the service interdependency and connectivity.
Solution: less Kubernetes tool sprawl using Cilium
The self-service observability capabilities are great: You can give developers direct access to their Hubble portal. There is no need for them to call the SREs to troubleshootDavid Haugli, SRE Tietoevry Industries
By using Isovalent Enterprise for Cilium for their CNI and overall networking and observability layer, Tietoevry was able to consolidate the tool stack. They could answer their needs with advanced network policies, zero trust security, and in-depth observability. Particularly, as part of Isovalent Enterprise for Cilium, the following solutions were of note:
- DNS/FQDN capable network policies helped to simplify network policies especially compared to managing lists of IPs. This eased the burden on operations.
- The Hubble UI with its service map enabled the team to implement zero trust policies, starting with a deny-all policy and quickly moving from there with the insight Hubble provided.
- Cilium’s self-service access based on cloud-native identities like namespaces allows application owners to troubleshoot applications on their own, greatly reducing the need for the SRE team to jump to support.
- Advanced network observability helped to monitor key signals like latencies in TCP requests, allowing efficient mapping of signals to SLAs. The native integration of Grafana simplified the export of the data and the visualization of them in corresponding dashboards.
- Isovalent Enterprise for Cilium natively comes with many features, eliminating any need for an additional service mesh like Istio on top. This greatly reduced operational complexity and brought cost savings compared to adding an additional Istio-based solution.
Using Cilium on the legacy app saved us most likely a whole year.David Haugli, SRE Tietoevry Industries
Tietroevry Industries was able to reduce Kubernetes tool sprawl by using Isovalent Enterprise for Cilium, and thus greatly simplify its overall Kubernetes administration. This enabled Tietoevry to implement zero trust in its environment.
Hubble allowed better insights into what was happening in the cluster in itself, allowing improved observability and monitoring as well as more efficient migration and modernization of monolithic legacy apps. The additional self-service capabilities simplified troubleshooting and overall cooperation between operations and app-owner teams.
If you want to learn more about Isovalent Enterprise for Cilium, check out our Isovalent Cilium Enterprise product page. You can find more customer resources in the section Cilium Case Studies in our resource library.