With the widespread adoption of containers by various organizations and companies, Kubernetes (K8s), an open-source software dedicated to container management, has become the de facto standard in recent years for the deployment and operation of applications focused on this technological solution. K8s offers several advantages: workload balancing, dynamic resource allocation, automated rollout and rollback, storage orchestration, management of sensitive information, selfhealing, etc. Of course K8s has some limitations, but they can be overcome thanks to the easy integration with third-party software. Thanks to its fame, in fact, there are many developers who create software that can be integrated with K8s.

Thanks to its flexibility and scalability features, K8s can be integrated with cloud solutions such as OpenStack, a modular cloud operating system capable of offering process and storage management services according to the Infrastructure as a Service (IaaS) model, deployed at INFN CNAF. The inner complementary relationship between K8s and OpenStack has pushed us to widely use this solution in our Cloud infrastructure. One aspect that made us lean towards using the two software mentioned above is the possibility of exposing K8s services externally via a Load Balancer (LB) using Octavia, one of the many open-source modules that integrate into the OpenStack ecosystem. In addition to this, other measures have been implemented, integrating the cluster with external software that should, at the same time, simplify the system administrator’s work and enhance security.

If the high reliability of a system is a requirement that is generally very welcome by any user of a service, security is of particular importance in our infrastructure. The architecture presented, in fact, has the purpose of hosting personal data, which requires a high degree of protection against external attacks and isolation between the various users of the infrastructure.