The way organizations approach Kubernetes is similar in a certain sense to how they use the cloud: Typically, they start off using Kubernetes to manage just a single cluster of servers. But over time, they might expand into a Kubernetes multi-cluster setup, meaning one that includes multiple clusters – just as an organization that starts with one cloud might later decide to adopt a multi-cloud architecture.
Opting to run multiple Kubernetes clusters can provide several important benefits, such as increased reliability and scalability. But it also presents challenges in areas like security and observability.
We've prepared this article to help you decide whether a Kubernetes multi-cluster architecture is right for you, and if it is, how best to go about managing it. Keep reading for tips on how multi-cluster Kubernetes works, which benefits it offers, and best practices for mitigating the challenges that a Kubernetes multi-cluster approach can present.
What is multi-cluster Kubernetes?
Multi-cluster Kubernetes is a Kubernetes environment that consists of two or more distinct clusters.
To understand fully what multi-cluster Kubernetes means, let's dive a bit deeper into how Kubernetes clusters work. In Kubernetes, clusters are collections of servers (called nodes) that host workloads. In addition, each cluster typically has its own control plane, meaning the Kubernetes software services responsible for managing the cluster itself.
Typically, if you have a group of servers that exist in a certain place – such as a specific data center or cloud environment – you'd form them into one Kubernetes cluster. This would result in a single-cluster Kubernetes architecture.
But if you have multiple groups of servers spread across different locations, or if you simply want to create strict isolation boundaries between groups of servers in the same location, you could create multiple clusters.
Single-cluster vs. multi-cluster
The components of Kubernetes are the same in both single-cluster and multi-cluster environments. They include resources like nodes, Pods (which are collections of containers that host applications), an API server, the Kubernetes scheduler, and so on.
The only big difference between a single cluster and multiple clusters is that in the latter setup, you have more than one cluster. In addition, multi-cluster Kubernetes environments sometimes use load balancers or service meshes to distribute traffic across clusters – meaning that different clusters can share in hosting the same workload or processing the same type of request.
Multi-cluster vs. cluster federation
Most multi-cluster Kubernetes environments are distinct from federated Kubernetes, also sometimes known as kubefed (it's also sometimes called a Kubernetes-centric approach to multi-cluster management, as we discuss in more detail below). Federated Kubernetes is a deployment strategy in which a single Kubernetes cluster manages multiple other clusters, making it possible to deploy workloads across more than one cluster from a central location. Thus, with federated Kubernetes, there is effectively a single control plane managing multiple clusters.
In contrast, multi-cluster Kubernetes simply means that you have more than a single cluster, but with no central control plane managing all of them. Each cluster in a multi-cluster setup operates as an independent entity. Again, it's possible to use load balancers or service meshes to distribute traffic across multiple clusters, but that's different from managing all clusters through a shared control plane.
How do multiple Kubernetes clusters work?
Typically, multiple Kubernetes clusters work by having each cluster operate independently using its own control plane nodes and worker nodes. At the same time, a central load balancer or service mesh is connected to each cluster and directs traffic to the clusters as needed.
For example, a load balancer might direct a request from one user to a particular cluster because that cluster happens to have more available CPU and memory at the time the user sends the request. However, the load balancer could direct an identical request from a different user to a different cluster in the event that the latter ends up having more spare resources at the time of the request. This allows for efficient balancing of load across clusters.
A similar approach could be used to redirect traffic in the event that one cluster fails, or to direct different types of requests to different clusters based on the applications that each cluster hosts.
Replicated architecture vs. split-by-service architecture
There are two main ways to design multi-cluster Kubernetes environments:
- Replicated architecture: This approach involves hosting copies of the same applications and services across each cluster, creating redundancy. The main advantage of a replicated architecture is that it increases uptime because if one cluster goes down, applications remain available in other clusters.
- Split-by-service architecture: Under this approach, each cluster hosts different services and a service mesh directs incoming requests at clusters based on whichever service needs to handle the request. This makes it possible to isolate services from one another, which can provide security benefits.
It's also possible to use a hybrid architecture that mixes both replicated and split-by-service approaches. For example, you might host copies of a mission-critical service across all clusters in order to maximize its availability, while splitting non-critical services across clusters.
Kubernetes-centric vs. network-centric approach
There are also two main ways to manage a Kubernetes multi-cluster setup:
- Kubernetes-centric: This means using Kubernetes's native features to manage more than one cluster through a single control plane – which is effectively the same as a federated Kubernetes setup. Because Kubernetes federation features are no longer actively developed, a Kubernetes-centric approach to multi-cluster management is less common today.
- Network-centric: A network-centric architecture connects clusters at the network level, using tools like service meshes and load balancers to distribute traffic between clusters. This is the more common way to implement multi-cluster Kubernetes today.
Benefits of using a Kubernetes multi-cluster architecture
Multi-cluster Kubernetes can enable a range of benefits, including the following:
Availability
Running more than one cluster can increase availability, especially when organizations opt for replicated architectures. In that case, requests to applications or services that have either failed, or that are no longer able to handle requests because they're out of available resources, can simply be redirected to other clusters, minimizing the risk of downtime and latency.
Scalability
With more than one cluster, you can scale workloads up and down by adding or removing instances of them across clusters. For instance, imagine you have an application that experiences heavy traffic during certain periods of the year. With a Kubernetes multi-cluster setup, you could host replicas of the application on multiple clusters during periods of peak demand, while scaling down to hosting it on just one cluster during less busy periods. This helps strike the best tradeoff between resource utilization and application performance.
Isolation of workloads
Multiple clusters make it possible to establish rigid boundaries for each workload. This is because workloads in one cluster can't typically communicate with those in other clusters unless they are explicitly configured to do so. In addition, resource-hungry workloads won't impede the performance of workloads hosted in other clusters, since resources are provisioned on a cluster-by-cluster basis.
There are other ways to achieve workload isolation in Kubernetes, such as using namespaces to create virtual boundaries between workloads. In addition, you can use requests and limits to manage how many resources each workload can consume. But a Kubernetes multi-cluster setup provides the deepest possible isolation because it makes it possible to restrict workloads to specific clusters.
Security and compliance
The ability to isolate workloads can provide security and compliance benefits. If one workload is compromised through a security vulnerability, the risk that the breach will spread to workloads in other clusters is virtually negligible. Likewise, because Kubernetes Role-Based Access Control (RBAC) works on a cluster-by-cluster basis, RBAC settings that grant a user excessive permissions in one cluster won't pose risks to other clusters (unless the same RBAC policies are in place on other clusters).
In these ways, a Kubernetes multi-cluster approach helps reduce the impact of security incidents. It may also help organizations meet compliance requirements by showing that they have taken steps to mitigate the impact of configuration oversights that could lead to unauthorized access to resources hosted in Kubernetes. In addition, multi-cluster Kubernetes makes it possible to host different clusters in specific regions or countries, which may help meet compliance mandates in cases where regulations require applications or data to reside in particular geopolitical jurisdictions.
Infrastructure segmentation based on location
It's frequently the case that an organization owns multiple collections of servers in different locations. You might have multiple data centers, each with its own fleet of servers, for example, or you might use multiple public clouds and operate virtual servers in each of them.
In scenarios like these, multi-cluster Kubernetes makes it possible to create a separate cluster for each local set of infrastructure resources. Doing so makes sense logically because it allows you to divide and segment workloads between sites. It can also help improve performance because attempting to build a single cluster using servers that are distributed across a wide geographic area could lead to issues stemming from high network latency; in other words, it might take longer than desired for network traffic to move between the various sites represented in your cluster, causing slower performance.
Edge computing and IoT
Along similar lines, multi-cluster Kubernetes may prove beneficial when working with edge computing or Internet of Things (IoT) workloads, both of which typically involve servers or other devices that are spread across wide geographic areas. By dividing the servers or devices into individual clusters, it becomes possible to manage each one separately, leading in many cases to better performance and simplified operations.
Challenges of multi-cluster Kubernetes
While multi-cluster Kubernetes can unlock many benefits, it also presents some steep challenges:
Configuration and management complexity
The more clusters you have, the harder you'll typically need to work to monitor, observe, secure, and otherwise manage them. This is due both to the fact that there are more components to track, and to the added complexity of multi-cluster architectures.
For example, imagine you detect an application that is slow to respond to requests. In a Kubernetes multi-cluster setup, you'd need to consider whether issues with the load balancer or service mesh that distributes traffic across clusters could be causing the problem. With a single-cluster architecture, this consideration wouldn't apply, making it easier to troubleshoot the issue.
Network connectivity and latency
In a Kubernetes multi-cluster setup, networking issues can lead to performance and availability problems. When traffic takes too long to move between clusters, the clusters may go out of sync, causing application instances hosted in one cluster to handle requests different from instances in another cluster that are supposed to be identical. Likewise, high network latency could lead to slow processing of requests in split-by-service architectures where a request needs to move between multiple clusters.
Network performance and latency issues can occur in a single-cluster setup, too. However, they tend to be less pronounced in that context because single-cluster network configurations are simpler. In addition, in single-cluster architectures, all servers typically reside in the same location, so there is no need to move data across long distances. That's not necessarily the case with a multi-cluster environment, where packets may need to travel thousands of miles, leading to higher risks of latency or packet loss.
Cross-cluster service discovery and load balancing
Kubernetes lacks built-in tooling to identify and connect services running across multiple clusters. As a result, using a load balancer to distribute requests across clusters, or integrating application services hosted across different clusters, can be challenging. Doing so requires tools external to each cluster that can create a catalog of all available services and perform Kubernetes service load balancing.
Security and access control
In a similar fashion, Kubernetes's built-in security and access control tools are only designed to work within a similar cluster. If you want to apply the same security and permissions rules across clusters, you'd typically need to replicate settings manually.
Monitoring and observability
As we mentioned, identifying and troubleshooting issues in multi-cluster environments using Kubernetes monitoring and observability tools can be more challenging because there are more variables to contend with. This is complicated further by the fact that you often need to deploy monitoring tools into each cluster separately, and not all Kubernetes observability and monitoring platforms can natively correlate data between clusters.
Cost
In some cases, multi-cluster Kubernetes may lead to higher costs. This is mainly because each cluster requires its own control plane, and control planes consume memory, CPU, and disk space – so the more clusters and control planes you have, the more infrastructure resources you need to pay for.
In addition, there is a risk with multi-cluster Kubernetes that some clusters may be under-utilized because they include more nodes than are necessary to host the workloads running in them. This also leads to money wasted on unnecessary infrastructure.
Tools for Kubernetes multi-cluster management
Although there is no single type of tool that covers all aspects of multi-cluster Kubernetes management, there are several categories of tools that can be helpful for setting up and administering multiple clusters.
Multi-cluster management platforms
Some Kubernetes distributions or platforms, such as Rancher and OpenShift, offer capabilities that make it possible to connect and monitor multiple clusters through a central interface. They don't necessarily cover all of the capabilities you need to manage more than one cluster; for example, you may still need to set up external load balancers or service meshes to route traffic. But a multi-cluster solution can help with tasks like replicating RBAC settings across clusters.
Cluster federation tools
If you opt for a Kubernetes-centric multi-cluster setup instead of a network-centric one, open source tools like kubefed may help. These tools are designed to enable multi-cluster support by managing multiple clusters through a single control plane. However, most work on cluster federation by Kubernetes developers has been abandoned, so this is likely not a future-proof approach to managing multiple clusters.
Infrastructure-as-Code
Infrastructure-as-Code, or IaC, is the use of code to set up resources. Using IaC, you can define how Kubernetes clusters and workloads (among other types of resources) should be configured, and then apply the desired configuration automatically.
IaC is useful in the context of multi-cluster Kubernetes because it makes it easier to replicate the same configurations across clusters. For example, if you want to deploy identical Pods on more than one cluster, you can simply apply the same Pod definition on each one.
GitOps
GitOps is an approach to infrastructure management that focuses on using IaC code stored in Git repositories to configure resources. The main idea is that whenever engineers want to change a configuration, they can simply update code in Git, and then automatically push the changes out to any resources that are connected to the Git-based configurations.
When working with multiple Kubernetes clusters, a GitOps approach can be useful because the configurations for all clusters can be managed through a central Git repository, making it easier to apply configurations from a single location.
Service meshes, load balancers, and other networking tools
As mentioned above, service meshes and load balancers can be helpful for distributing traffic between multiple clusters. Other types of networking tools, like API gateways, can fulfill a similar purpose in some cases.
These solutions won't manage clusters themselves, but they help manage connections between clusters in a network-centric multi-cluster Kubernetes architecture.
Kubernetes multi-cluster with groundcover
Whether you have just one Kubernetes cluster or one hundred, groundcover provides the visibility you need to keep them all running at peak performance. Native support for multi-cluster Kubernetes environments means that groundcover can seamlessly collect critical observability data from across clusters while making all of it visible through a central portal.
In addition, groundcover's ability to correlate data helps you cut through the complexity of multi-cluster setups quickly and perform Kubernetes troubleshooting effectively.
Multiple clusters are (sometimes) better than one
If a single Kubernetes cluster meets your needs, by all means, stick with that setup. But sometimes, you'll find that operating more than one cluster is a better way to meet your performance, availability, security, and compliance goals. The good news in that case is that, although managing multiple clusters is a bit more challenging than working with a single cluster, it's eminently doable given the right tools and approach.
Sign up for Updates
Keep up with all things cloud-native observability.