Sangfor Kubernetes Engine (SKE) is a container management platform built on Kubernetes. It is integrated into Sangfor HCI and managed by Sangfor Cloud Platform (SCP). It offers a unified platform for running and managing containers and virtual machines with simplicity, reliability, and security.
Unified Management
Containers and virtual machines will coexist in the infrastructure in the long term, as managing them separately is inefficient.
By integrating SKE with Sangfor HCI, users benefit from the unified management of containers and virtual machines. This includes centralized management of accounts, permissions, monitoring, and alerts, significantly improving overall management efficiency.
Automated Deployment of K8s Clusters
When setting up a K8s cluster, at least eight backend operations and dozens of commands need to be executed, making the process complex and prone to errors.
With SKE, users can quickly create a production-ready Kubernetes cluster in just a few simple steps, typically within 15 minutes. This process eliminates the need for manual operating system installation and configuration, ensuring rapid deployment of business applications.
Out-of-the-Box Production-Ready Components
The platform includes a rich set of pre-built components, providing out-of-the-box functionality for rapid application deployment and comprehensive visualized monitoring. This supports the quick onboarding of business workloads with stable runtime operations.
To assist in troubleshooting, the platform offers various log types. Additionally, it features a built-in high-performance load balancing solution, reducing the complexity of ongoing maintenance.
High Availability & Reliability
Kubernetes lacks effective measures to detect suboptimal health in underlying physical or virtual machines, which can pose reliability risks.
SKE leverages Sangfor HCI's reliability and High Availability (HA) mechanisms, such as sub-health monitoring and the Distributed Resource Scheduler (DRS), to avoid running applications on unhealthy nodes, ensuring stable business operations. Additionally, cluster node host exclusion ensures that virtual machines hosting Kubernetes cluster nodes follow a default mutual exclusion policy, prioritizing distribution across different physical host machines.
Comprehensive Security
SKE provides robust security for Kubernetes clusters by leveraging Sangfor HCI’s built-in security features, security policies, and operating system hardening, such as patching. For cluster nodes, a distributed firewall policy is automatically created to block high-risk ports while whitelisting necessary ports.
As Kubernetes evolves, its numerous parameters can create security risks if configurations don't follow best practices. SKE provides built-in admission policies to control application admission and uses audit logs to quickly identify and trace high-risk configurations. For non-compliant actions, the system offers remediation suggestions, such as allowing with auditing or blocking.
Sharing the Distributed Storage of HCI
Cloud-native applications need persistent storage for various types of data, including business data, cache data, log data, and other data that must be retained over time.
With SKE, cloud-native applications can directly use the distributed storage of Sangfor HCI without needing an additional storage resource pool. This approach provides high-performance and reliable enterprise-grade storage, reducing the total cost of ownership (TCO). The solution meets the requirements of high-performance workloads, such as containerized database deployments.
SKE Network Architecture Hosted on HCI
The SKE network is built on a virtual network. Pod-to-Pod communication across physical hosts is achieved through the integration of CNI (Container Network Interface) and the use of both virtual and physical network links.
Cilium's BPF (Berkeley Packet Filter) mode minimizes the need for user-space network packet processing, which reduces latency. Its zero-copy, direct in-kernel packet processing capabilities can achieve performance speeds comparable to those of the DPDK (Data Plane Development Kit).
Container Network Traffic Visualization
The shift to a cloud-native architecture has increased the number of microservices, leading to more internal access relationships and traffic. This makes it difficult to identify necessary ports for business operations, complicating security protection and control.
SKE addresses this issue by visualizing the access relationships for cloud-native applications, enhancing problem identification and troubleshooting efficiency. This allows for quick assessment of container network conditions and identification of exposed service details (protocols, ports) to aid in security measures.
Containers and virtual machines will coexist in the infrastructure in the long term, as managing them separately is inefficient.
By integrating SKE with Sangfor HCI, users benefit from the unified management of containers and virtual machines. This includes centralized management of accounts, permissions, monitoring, and alerts, significantly improving overall management efficiency.
When setting up a K8s cluster, at least eight backend operations and dozens of commands need to be executed, making the process complex and prone to errors.
With SKE, users can quickly create a production-ready Kubernetes cluster in just a few simple steps, typically within 15 minutes. This process eliminates the need for manual operating system installation and configuration, ensuring rapid deployment of business applications.
The platform includes a rich set of pre-built components, providing out-of-the-box functionality for rapid application deployment and comprehensive visualized monitoring. This supports the quick onboarding of business workloads with stable runtime operations.
To assist in troubleshooting, the platform offers various log types. Additionally, it features a built-in high-performance load balancing solution, reducing the complexity of ongoing maintenance.
Kubernetes lacks effective measures to detect suboptimal health in underlying physical or virtual machines, which can pose reliability risks.
SKE leverages Sangfor HCI's reliability and High Availability (HA) mechanisms, such as sub-health monitoring and the Distributed Resource Scheduler (DRS), to avoid running applications on unhealthy nodes, ensuring stable business operations. Additionally, cluster node host exclusion ensures that virtual machines hosting Kubernetes cluster nodes follow a default mutual exclusion policy, prioritizing distribution across different physical host machines.
SKE provides robust security for Kubernetes clusters by leveraging Sangfor HCI’s built-in security features, security policies, and operating system hardening, such as patching. For cluster nodes, a distributed firewall policy is automatically created to block high-risk ports while whitelisting necessary ports.
As Kubernetes evolves, its numerous parameters can create security risks if configurations don't follow best practices. SKE provides built-in admission policies to control application admission and uses audit logs to quickly identify and trace high-risk configurations. For non-compliant actions, the system offers remediation suggestions, such as allowing with auditing or blocking.
Cloud-native applications need persistent storage for various types of data, including business data, cache data, log data, and other data that must be retained over time.
With SKE, cloud-native applications can directly use the distributed storage of Sangfor HCI without needing an additional storage resource pool. This approach provides high-performance and reliable enterprise-grade storage, reducing the total cost of ownership (TCO). The solution meets the requirements of high-performance workloads, such as containerized database deployments.
The SKE network is built on a virtual network. Pod-to-Pod communication across physical hosts is achieved through the integration of CNI (Container Network Interface) and the use of both virtual and physical network links.
Cilium's BPF (Berkeley Packet Filter) mode minimizes the need for user-space network packet processing, which reduces latency. Its zero-copy, direct in-kernel packet processing capabilities can achieve performance speeds comparable to those of the DPDK (Data Plane Development Kit).
The shift to a cloud-native architecture has increased the number of microservices, leading to more internal access relationships and traffic. This makes it difficult to identify necessary ports for business operations, complicating security protection and control.
SKE addresses this issue by visualizing the access relationships for cloud-native applications, enhancing problem identification and troubleshooting efficiency. This allows for quick assessment of container network conditions and identification of exposed service details (protocols, ports) to aid in security measures.