This content is part of the Essential Guide: The ins and outs of VMware security products and features

VMware and Pivotal put NSX spin on Kubernetes security

VMware and Pivotal mix NSX network segmentation into PKS 1.3 to appeal to large, advanced users of vSphere and Kubernetes who manage multi-tenant container clusters.

VMware and Pivotal look to address large enterprises' need for sophisticated tools to ensure Kubernetes security with the latest update to Pivotal Container Service.

VMware Pivotal Container Service (PKS) version 1.3, released this week, deepens the platform's integration with VMware NSX software-defined networks to provide advanced network segmentation features for multi-tenant container environments. Kubernetes natively provides role-based access control and network isolation features, but PKS 1.3's updated integration with NSX Tier-0 virtual routers enables tenants in shared clusters to use overlapping IP address ranges.

Other new integrations with NSX include the ability to toggle between routable and nonroutable IP addresses for Kubernetes pods that make egress requests.

These features shore up Kubernetes security in advanced enterprise IT shops such as T-Mobile, which presented at VMware's annual conference in 2018 about running VMware PKS in production.

"We have some very advanced customers who are running multiple clusters, and they're very experienced with running Kubernetes already," said Wendy Cartee, senior director of cloud-native apps at VMware. "What we've added in PKS 1.3 with some of the networking capabilities is specifically designed for customers that have a need for better multi-tenancy and network segmentation."

Many of these customers have dabbled in upstream Kubernetes and turned to VMware PKS to add polish to highly complex production environments, Cartee added.

Industry experts predict more upstream Kubernetes users will turn to packaged options from vendors in this way in 2019.

"Enterprises are almost done struggling and failing with Kubernetes on their own," said Jay Lyman, analyst at 451 Research.

Meanwhile, VMware and Pivotal networking efforts will pull in network admins to DevOps teams and cloud-native application releases, Lyman said. "Networking is often one of the last itches to get scratched in these open source frameworks," he said.

Azure support closes gap with OpenShift

Most enterprise IT shops, including VMware customers, are nowhere near a need for advanced Kubernetes security and network segmentation features. Many of them already manage on-premises workloads with vSphere, but aspire toward cloud migration. And they require support for multiple cloud provider infrastructures from Kubernetes management tools to preserve the promise of container portability.

Thus, Azure support in VMware PKS 1.3 aims to capture the attention of customers in the planning stages of Kubernetes deployment. Red Hat OpenShift had a head start on VMware PKS, offering "deploy once, run anywhere" application support on all the major public cloud providers. VMware PKS, however, can appeal to a large VMware vSphere install base, where features such as NSX integration will also resonate.

"NSX is a pretty good product in the VMware arsenal," said Gary Chen, analyst at IDC. Enterprises may see cloud services as the ideal, but most enterprise workloads remain on premises today, he said.

"In many cases, the vSphere administrator is also tasked with Kubernetes containers, or works closely with the administrator who is," Chen said. "With VMware PKS, they can work with the same vendor and know everything works together."

Still, OpenShift captures most of the attention among enterprises that seek third-party Kubernetes support in hybrid cloud infrastructures.

"OpenShift made Kubernetes the backbone of its container orchestration much earlier, which gives Red Hat more experience, although customers have had to go through more disruptive patches and updates," said Chris Riley, director of solutions architecture at cPrime Inc., an Agile software development consulting firm in Foster City, Calif. "Red Hat OpenShift still gets mentioned much more than PKS among the customers I talk to."

PKS faces hyper-saturated Kubernetes management market

VMware offers very specific enterprise capabilities that technicians want, but the reality is that the simpler the Kubernetes approach, the better ... the clients I know use Kubernetes primarily in the cloud.
Chris Rileydirector of solutions architecture, cPrime Inc.

Any vendor that seeks momentum in managed Kubernetes must cut through overwhelming noise among a glut of competitors looking to unseat OpenShift. The Cloud Native Computing Foundation counts 75 Kubernetes platform vendors on the market, while 451 Research tallies 180, because it includes Kubernetes add-on specialists in security, database management and other subdomains.

Meanwhile, customers who seek simplicity often turn to cloud providers' native Kubernetes services.

"VMware offers very specific enterprise capabilities that technicians want. But the reality is that the simpler the Kubernetes approach, the better," Riley said. "For that reason, the clients I know use Kubernetes primarily in the cloud."

A Fortune 50 retailer client recently chose Google Kubernetes Engine over Azure Kubernetes Service after a lengthy bake-off between the two cloud providers, Riley said. A third-party hybrid cloud Kubernetes platform such as OpenShift or PKS never entered the equation.

Dig Deeper on Containers and virtualization

Software Quality
App Architecture
Cloud Computing
Data Center