Latest Features for Wind Rivers Operator Technology – WIND

By Shashank Bommaganti

Wind River Cloud Platform provides cloud native software infrastructure designed for deploying and managing distributed edge clouds at scale. Cloud Platform is the commercially supported version of the open source project StarlingX. Introduced to the market last year as the industrys first 5G cloud native open source solution, the latest release is now available. This new release is the result of collaboration between Wind River, our customers, and partners in order to make Cloud Platform the optimal choice for vRAN workloads at scale. To learn more about how Cloud Platform is being commercially deployed, take a look at this news regarding Verizons first end-to-end fully virtualized 5G data session in the world.

This latest version adds a number of new features that significantly improve the operational efficiency and security of the Cloud Platform. Some of the new capabilities include centralized FPGA programming orchestration, Kata containers, Vault integration for secure secret management, and container image signing validation.

Read on as we take you through some highlights of our latest release.

Distributed Cloud Enhancements

Zero Touch Provisioning Enhancements: Leveraging the Redfish virtual media controller to securely download and install an ISO on a remote server through the BMC interface over an L3 network, Cloud Platform uses a unique 2-stage ISO installer to provide improved reliability and performance of an ISO download, especially over low-speed, high latency network links to the remote sub clouds.

Security

Certificate Management: Given the sheer number of X.509 security certificates used in a Kubernetes environment, automated certificate management is key to avoiding service interruption due to misconfigured or expired certificates. Cloud Platform now includes Kubernetes cert-manager, a native Kubernetes certificate management controller that supports certificate management with external certificate authorities (CAs) automating the issuance and renewal of certificates.

Kata containers: Container isolation is always top of mind for anyone deploying containerized applications. While Cgroups and namespaces do provide workload isolation, containers still share a kernel and therefore the workload isolation isnt equivalent to say what is provided by virtual machines (VMs). This is where Kata containers come in. Kata containers feel and perform like containers, but provide stronger workload isolation for networking, I/O and memory similar to VMs. With containerd Container Runtime Interface (CRI), Cloud Platform now supports Kata container runtime in addition to the standard runc container runtime.

Windows Active Directory: Cloud Platform can now be configured to use a remote Windows Active Directory server to authenticate users of the Kubernetes API, using the open source Dex OIDC Identity service. Dex provides an OIDC front end with access to a variety of identity providers through backend connectors, such as Windows Active Directory with LDAP(S).

Pod Security Policies (PSP): Cloud Platform adds PSPs to enable fine-grained authorization of Kubernetes Pod creation and updates. PSPs control access to security sensitive aspects of Pod specifications such as running of privileged containers, use of host filesystem, running as root, etc. PSPs define a set of conditions that a Pod must run with, in order to be accepted into the system, with defaults for the related fields.

Secrets Management: Cloud Platform integrates Vault as a containerized secrets management application that provides encrypted storage with policy-based access control.

Signed container image validation: To prevent a container image that has been tampered with or is corrupted from running, Cloud Platform now integrates Portieris Kubernetes admission controller which ensures that only policy compliant images, such as signed images from trusted registries, can run on the Cloud Platform. The trust policies can be configured for an individual namespace or cluster-wide. Portieris first checks that the images registry/repository is trusted

according to the image policies, and, if trust enforcement is enabled for that registry/repository,

Portieris verifies that a signed version of the image exists in the specified registry / notary server, before the container is allowed to run on the Cloud Platform. The Cloud Platform implementation of Portieris is integrated with cert-manager and can use custom registries for added flexibility.

FPGA Support

In order to support hardware acceleration necessary for 5G virtual RAN and other performance sensitive workloads, Cloud Platform now includes support for Intel N3000 FPGA cards. Leveraging the powerful update and upgrade orchestration capabilities of the Cloud Platform, the FPGA image programming can be orchestrated from the central controller to all the sub-clouds in a distributed cloud deployment.

Storage

Customers with an existing Netapp storage cluster investments can now utilize it as a Kubernetes persistent block storage backend for the Cloud Platform. Of course, Cloud Platform continues to provide Ceph as an optional Kubernetes Persistent Volume Claim (PVC) for those customers without existing storage solutions in place.

To learn more about Wind River Cloud Platform, click here or contact us.

More:
Latest Features for Wind Rivers Operator Technology - WIND