<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Cloud Native Architecture – Latest architectures</title><link>https://deploy-preview-36--cncfarchitecture.netlify.app/architectures/</link><description>Recent content in Latest architectures on Cloud Native Architecture</description><generator>Hugo -- gohugo.io</generator><language>en</language><atom:link href="https://deploy-preview-36--cncfarchitecture.netlify.app/architectures/index.xml" rel="self" type="application/rss+xml"/><item><title>Architectures: A Private Cloud "Kubernetes Service" deployable anywhere.</title><link>https://deploy-preview-36--cncfarchitecture.netlify.app/architectures/sncf-onprem/</link><pubDate>Fri, 03 Jul 2026 00:00:00 +0000</pubDate><guid>https://deploy-preview-36--cncfarchitecture.netlify.app/architectures/sncf-onprem/</guid><description>
&lt;h2 id="relevant-projects">Relevant projects&lt;/h2>
&lt;div class="row row-cols-1 row-cols-md-3 mb-4">
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
ArgoCD
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/argo/">&lt;img src="https://github.com/cncf/artwork/raw/main/projects/argo/horizontal/color/argo-horizontal-color.svg" alt="argo logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2024&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> v3.3.6&lt;/li>
&lt;/ul>
&lt;p>ArgoCD is used here as our main infrastructure engine. We&amp;rsquo;ve configured it so it can manage Day 1 and Day 2 operations seamlessly: Cluster APIs primitives on the management cluster to manage control plane operations, and helm applications to manage tooling and configuration of workload clusters. This infrastructure ArgoCD is centralized and dedicated to the platform team.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Cluster API
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://github.com/kubernetes-sigs/cluster-api/">&lt;img src="https://raw.githubusercontent.com/kubernetes-sigs/cluster-api/main/logos/kubernetes-cluster-logos_final-02.svg" alt="ClusterAPI logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2024&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> v1.10.5&lt;/li>
&lt;/ul>
&lt;p>Cluster API manages K8s control planes &amp;amp; machines at scale leaning on the ad hoc infrastucture providers (CAPO for OpenStack. CABPT and CACPPT for Talos), and serves as autoscaling &amp;amp; autohealing provider.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
External-dns
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://github.com/kubernetes-sigs/external-dns/">&lt;img src="https://raw.githubusercontent.com/kubernetes-sigs/external-dns/refs/heads/master/docs/img/external-dns.png" alt="External-secrets logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2021&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> v2.0.1&lt;/li>
&lt;/ul>
&lt;p>External-dns automates Designate DNS records management for workload Clusters.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
External Secrets Operator
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/external-secrets/">&lt;img src="https://github.com/cncf/artwork/raw/main/projects/external-secrets-operator/horizontal/color/eso-horizontal-color.svg" alt="External-secrets logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2022&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> v1.3.2&lt;/li>
&lt;/ul>
&lt;p>External Secrets Operator is the glue between Hashicorp Vault and workload clusters, allowing for secure and centralized secrets management.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Harbor
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/harbor/">&lt;img src="https://github.com/cncf/artwork/raw/main/projects/harbor/horizontal/color/harbor-horizontal-color.svg" alt="harbor logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2021&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> v2.14&lt;/li>
&lt;/ul>
&lt;p>Harbor is the centralized registry: storing and distributing every image used on any container based infrastructure at SNCF.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Kubernetes
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/kubernetes/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/kubernetes/icon/color/kubernetes-icon-color.svg" alt="kubernetes logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2018&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> v1.35&lt;/li>
&lt;/ul>
&lt;p>SNCF&amp;rsquo;s sole container orchestrator. Used across all hosting zones, including critical infrastructure like high-speed trains.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
OpenStack
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://opendev.org/openstack/openstack/">&lt;img src="https://raw.githubusercontent.com/openstack/openstackdocstheme/refs/heads/master/openstackdocstheme/theme/openstackdocs/static/images/openstack-logo-full.svg" alt="openstack logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2024&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> Yoga&lt;/li>
&lt;/ul>
&lt;p>OpenStack provides Machines, DNS, Storage and Network to the platform, it is fully automated by CAPO and therefore abstracted from App Teams.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Renovate
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://github.com/renovatebot/renovate/">&lt;img src="https://github.com/renovatebot/renovate/raw/main/docs/usage/assets/images/logo.png" alt="renovate logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2024&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> v43&lt;/li>
&lt;/ul>
&lt;p>Renovate helps us automate OS and dependency patch management.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Talos Linux
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://github.com/siderolabs/talos/">&lt;img src="https://mintlify.s3.us-west-1.amazonaws.com/siderolabs-fe86397c/images/talos.svg" alt="talos logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2024&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> v1.13.2&lt;/li>
&lt;/ul>
&lt;p>Talos Linux provides an immutable OS and Kubernetes distribution combo.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;h2 id="tldr-synopsis">TLDR; Synopsis&lt;/h2>
&lt;p>This reference architecture describes SNCF&amp;rsquo;s second generation On-Premise Kubernetes Platform, built upon a bare-metal, open source OpenStack Infrastructure to provide at scale Container orchestration and scheduling.
It has revolutionized hosting options for the organization&amp;rsquo;s applications, successfully providing a public cloud-managed Kubernetes service equivalent to internal teams. This platform allows them to build a sovereign strategy aligned with application requirements.&lt;/p>
&lt;p>In particular, this architecture aims to show:&lt;/p>
&lt;ul>
&lt;li>How legacy, non-tech organizations can address cloud migration, sovereignty and infrastructure automation in real life.&lt;/li>
&lt;li>How to design a Managed Kubernetes Service using a 100 % open-source with zero vendor lock-in approach.&lt;/li>
&lt;li>How the proposed architecture is designed for end-to-end automation for all its components.&lt;/li>
&lt;/ul>
&lt;h2 id="organization">Organization&lt;/h2>
&lt;p>SNCF is the publicly owned French rail operator, in charge of every layer of the rail transportation system except actually building trains. It encompasses thousands of different trades, resulting in needing thousands of different software applications operated mostly by one IT department.&lt;/p>
&lt;p>The company decided in the late 2010s to move massively to the public cloud, giving birth to a containers platform team leaning on public cloud-managed Kubernetes services to create a hosting solution for container compatible applications.
In 2023, that massive public cloud move was mainly wrapped up, the Kubernetes platform entering a growth sustainability phase, with at scale management problematics enforcing GitOps adoption. These stabilization efforts soon highlighted the need to offer the same level of service for container compatible applications not eligible for public cloud migrations, in order to prevent the organization to risk vendor lock-in with a fragmented two-tier system.&lt;/p>
&lt;p>This was addressed by a joined initiative between a private cloud provider built on premises and an end-to-end automated kubernetes platform build on top of it.&lt;/p>
&lt;h2 id="teams">Teams&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Private Cloud Infrastructure&lt;/strong> is in charge of OpenStack deployment and configuration, managing hardware and network across SNCF&amp;rsquo;s private hosting zones owned by the SNCF. They offer virtualization, storage, network, LB on which our Kubernetes platform is built.&lt;/li>
&lt;li>&lt;strong>Cloud Native Integration&lt;/strong> builds, deploys, and maintains Kubernetes platforms on various hosting zones. We manage infrastructure, tooling and common services integration Apps Teams to deploy their software the easiest and best way possible.&lt;/li>
&lt;li>&lt;strong>Apps Teams&lt;/strong> develop, build, and ship applications anywhere in SNCF&amp;rsquo;s numerous hosting zones.&lt;/li>
&lt;/ul>
&lt;h2 id="architecture">Architecture&lt;/h2>
&lt;p>The architecture described below, is our OnPremise implementation of our Kubernetes deployment strategy.&lt;/p>
&lt;p>&lt;img src="images/architecture-global.excalidraw.png" alt="Global Architecture">&lt;/p>
&lt;h3 id="goals">Goals&lt;/h3>
&lt;ul>
&lt;li>A unified and streamlined way to deploy and maintain Kubernetes across all our landing zones (private and public clouds).&lt;/li>
&lt;li>A centralized end-to-end cluster and tooling lifecycle management.&lt;/li>
&lt;li>Security and compliance policies enforcement across all clusters.&lt;/li>
&lt;li>A large number of clusters manageable by a small infrastructure team.&lt;/li>
&lt;li>Deploying new clusters in minutes.&lt;/li>
&lt;li>A maintainable architecture.&lt;/li>
&lt;li>100 % open-source.&lt;/li>
&lt;/ul>
&lt;h2 id="can-you-expand-on-why-you-are-using-those-projectsservices">Can you expand on why you are using those projects/services?&lt;/h2>
&lt;p>&lt;img src="images/architecture-detailed.excalidraw.png" alt="Detailed Architecture">&lt;/p>
&lt;p>CNCF projects and OpenSource are at the heart of our architecture:&lt;/p>
&lt;ul>
&lt;li>&lt;strong>ClusterAPI - Clusters and Machines Management&lt;/strong> &lt;em>(adopted in 2025)&lt;/em>: ClusterAPI uses CAPO for lifecycle management of our Kubernetes clusters&amp;rsquo; control plane. It also provides through CACPPT machine configuration, enabling node autoscaling and autohealing thanks to cluster autoscaler.&lt;/li>
&lt;li>&lt;strong>Talos - OS/Kubernetes Combo&lt;/strong> &lt;em>(Kubernetes: adopted in 2018, Talos: adopted in 2025)&lt;/em>: We use Kubernetes on every SNCF hosting zone. Talos was chosen as &amp;ldquo;Kubernetes Operating System&amp;rdquo; because it is an streamlined way to deploy production-grade clusters with immutability and security in mind. We manage Talos nodes through the Cluster API&amp;rsquo;s Talos provider (CACPPT).&lt;/li>
&lt;li>&lt;strong>Openstack - Infrastructure provider&lt;/strong> &lt;em>(adopted in 2025)&lt;/em>: OpenStack allow us to consume the bare-metal infrastructure in a cloud native way. It gives us a similar resource abstraction for infrastructure as public clouds. We consume OpenStack through the Cluster API&amp;rsquo;s Openstack provider (CAPO).&lt;/li>
&lt;li>&lt;strong>ArgoCD - Clusters and tooling source of truth&lt;/strong> &lt;em>(adopted in 2023)&lt;/em>: We are using ArgoCD on all our clusters on private and public clouds. It allows us to manage the lifecycle of clusters infrastructure components.&lt;/li>
&lt;li>&lt;strong>Kyverno - Policy enforcer and resource mutation&lt;/strong> &lt;em>(adopted in 2022)&lt;/em>: Admission policies allows us to enforce compliance with the organization&amp;rsquo;s policy (e.g., images coming from our private registry, specifying requests/limits). We also leverage resource mutation capabilities to simplify workload best practices for apps teams without having to develop a dedicated controller or operator (e.g., automaticaly configure pod disruption budgets or topology spread constraints).&lt;/li>
&lt;li>&lt;strong>Cilium - CNI&lt;/strong> &lt;em>(adopted in 2023)&lt;/em>: We use Cilium as CNI on all our infrastructures. We especially use it for its network policies capabilities. We may use it for cluster mesh in the future.&lt;/li>
&lt;li>&lt;strong>Harbor - Private registry&lt;/strong> &lt;em>(adopted in 2020)&lt;/em>: Harbor is our private registry used to store OCI artifacts (like images, charts, etc.).&lt;/li>
&lt;li>&lt;strong>Renovate - Automatic Patch Management&lt;/strong> &lt;em>(adopted in 2025)&lt;/em>: Renovate is used to automate patch management for Talos, Kubernetes, and infrastructure components.&lt;/li>
&lt;/ul>
&lt;h2 id="what-has-worked-well">What has worked well?&lt;/h2>
&lt;p>The combination of OpenStack + Kubernetes with Talos + ClusterAPI + ArgoCD allows us to easily build clusters on our on-premise datacenters, and enables cluster provisioning for users in minutes.
They provide cloud-native capabilities on-prem, like: resilience, auto-scaling, on-demand load balancing and storage, easy upgrades, etc.&lt;/p>
&lt;h2 id="what-needs-improvement">What needs improvement?&lt;/h2>
&lt;p>The main challenge lies with Cluster API Talos providers, which do not always keep pace with CAPI core releases.
This prevents us from upgrading CAPI core to the latest version.
We plan to invest engineering time in upstream contributions to the project.&lt;/p>
&lt;h2 id="what-sort-of-glue-have-you-had-to-develop-to-enable-usage-of-your-architecture-">What sort of “glue” have you had to develop to enable usage of your architecture ?&lt;/h2>
&lt;ul>
&lt;li>
&lt;p>&lt;strong>Capix&lt;/strong>: a controller linking cluster creation by ClusterAPI with the deployment of Kubernetes manifests via ArgoCD.
It basically shares the newly generated kubeconfig from ClusterAPI with ArgoCD to deploy day2 manifests on the cluster.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>GoIDC&lt;/strong>: is an OIDC authentication CLI for our on-premises clusters. It allows users to authenticate to their clusters using their corporate credentials.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>get-onprem-cluster&lt;/strong>: is our CLI for users to easily download their kubeconfigs.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;h2 id="has-your-architecture-evolved-what-lessons-have-you-learned-from-previous-iterations">Has your architecture evolved? What lessons have you learned from previous iterations?&lt;/h2>
&lt;p>First iteration: This version started with Terraform, OpenStack, and Talos Linux, but we identified gaps in Day 2 operations efficiency.&lt;/p>
&lt;p>Second iteration: We added GitOps using ArgoCD, leveraging the work already done for our other Kubernetes stacks. This improved management of CNI, CSI, security, and monitoring features.&lt;/p>
&lt;p>Third iteration: We noticed one missing piece: autoscaling, which was not supported by the standard &lt;a href="https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler">cluster-autoscaler&lt;/a> on OpenStack. As a result, we migrated to Cluster API, which is fully compatible.&lt;/p>
&lt;p>The goal was to enable autoscaling, but Cluster API provides even more features and simplifies our workflow. By adding Helm templating, the solution now offers:&lt;/p>
&lt;ul>
&lt;li>Cluster provisioning in just a few dozen minutes.&lt;/li>
&lt;li>Native autoscaling capabilities.&lt;/li>
&lt;li>Easier node swapping and replacement.&lt;/li>
&lt;li>Full cluster upgrades (Kubernetes and/or OS versions) in about 15 minutes.&lt;/li>
&lt;/ul>
&lt;p>However, it required significant custom integration work and we encountered several pain points when using the &lt;a href="https://github.com/siderolabs/cluster-api-control-plane-provider-talos/">cluster-api-control-plane-provider-talos&lt;/a> and &lt;a href="https://github.com/siderolabs/cluster-api-bootstrap-provider-talos">cluster-api-bootstrap-provider-talos&lt;/a>.&lt;/p>
&lt;p>Indeed, we had to invest in these two projects because keeping them up to date with the Cluster API core depends heavily on community efforts.&lt;/p>
&lt;h2 id="whats-next-for-your-architecture-what-are-you-looking-to-do-next">What’s next for your architecture? What are you looking to do next?&lt;/h2>
&lt;p>We currently offer single-AZ clusters, as the underlying OpenStack platform operates within one availability zone.
We&amp;rsquo;re working with the OpenStack platform team on a multi-AZ OpenStack deployment to enable multi-AZ cluster support.&lt;/p>
&lt;h2 id="discussion">Discussion&lt;/h2>
&lt;p>End user members may participate in the &lt;a href="https://github.com/cncf/enduser-private/discussions/TBD">discussion thread&lt;/a> for this architecture.&lt;/p></description></item><item><title>Architectures: From Afterthought to Practice: Flipkart’s Multi-Tenant Chaos Engineering Platform on LitmusChaos</title><link>https://deploy-preview-36--cncfarchitecture.netlify.app/architectures/flipkart-chaos-engineering/</link><pubDate>Mon, 08 Jun 2026 00:00:00 +0000</pubDate><guid>https://deploy-preview-36--cncfarchitecture.netlify.app/architectures/flipkart-chaos-engineering/</guid><description>
&lt;h2 id="relevant-cncf-projects">Relevant CNCF projects&lt;/h2>
&lt;div class="row row-cols-1 row-cols-md-3 mb-4">
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
LitmusChaos
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/litmus/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/litmus/icon/color/litmus-icon-color.svg" alt="kubernetes logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2023&lt;/li>
&lt;/ul>
&lt;p>Central chaos engineering platform. Provides Kubernetes-native chaos orchestration, a workflow controller, a probe framework, a drag-and-drop UI, and resilience scoring. Flipkart deploys a single centralized control plane (operator + workflow controller) and federates tenant access through subscribers — forming the foundation of the multi-tenant chaos platform.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Kubernetes
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/kubernetes/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/kubernetes/icon/color/kubernetes-icon-color.svg" alt="dapr logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2021&lt;/li>
&lt;/ul>
&lt;p>Runtime substrate for hundreds of Flipkart microservices and for the LitmusChaos control plane itself. Custom Resource Definitions (ChaosEngine, ChaosExperiment, ChaosResult) model chaos as Kubernetes objects. DaemonSets are used to provide a node-local, long-lived chaos injection surface for high-availability experiment execution.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Argo Workflows
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/argo/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/argo/icon/color/argo-icon-color.svg" alt="keda logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2023&lt;/li>
&lt;/ul>
&lt;p>Underlying workflow engine used by Litmus to model multi-step chaos experiments — sequencing pre-checks, fault injection, probes, and recovery validation as a DAG. Flipkart’s Script Runner fault plugs into this DAG to enable dynamic target selection and context chaining between steps.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Prometheus
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/prometheus/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/prometheus/icon/color/prometheus-icon-color.svg" alt="opentelemetry logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2021&lt;/li>
&lt;/ul>
&lt;p>Metrics backbone for both production workloads and chaos experiments. Chaos drills are validated against Prometheus-driven SLO and alert thresholds (CPU saturation, 5xx error rates, latency, queue depth). Litmus’s Prometheus probes assert hypotheses during fault injection.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Helm
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/helm/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/helm/icon/color/helm-icon-color.svg" alt="helm logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2022&lt;/li>
&lt;/ul>
&lt;p>Used to package and roll out the centralized Litmus control plane, tenant subscribers, the DaemonSet-based injection layer, and Flipkart’s custom fault images consistently across staging and production clusters.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
containerd
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/containerd/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/containerd/icon/color/containerd-icon-color.svg" alt="helm logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2021&lt;/li>
&lt;/ul>
&lt;p>Container runtime on Flipkart’s Kubernetes nodes. The DaemonSet injection model relies on stable runtime primitives to execute parallel chaos sessions safely on a single node.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;h2 id="other-projects">Other Projects&lt;/h2>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th style="text-align:center">Project&lt;/th>
&lt;th style="text-align:center">Using Since&lt;/th>
&lt;th style="text-align:center">Notes&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td style="text-align:center">Grafana&lt;/td>
&lt;td style="text-align:center">2022&lt;/td>
&lt;td style="text-align:center">Dashboarding layer for chaos experiment telemetry. Flipkart reuses Litmus’s out-of-the-box Grafana exporters to surface experiment run history, resilience scores, and infrastructure-level signals to both Kubernetes and VM-team consumers — giving both audiences the same observability surface.&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align:center">MongoDB&lt;/td>
&lt;td style="text-align:center">2023&lt;/td>
&lt;td style="text-align:center">Backing store for the Litmus control plane. Flipkart’s probe-uniqueness contribution required reworking a global MongoDB index into a project-scoped one to make probes truly multi-tenant.&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align:center">Linux stress tooling on Debian&lt;/td>
&lt;td style="text-align:center">2023&lt;/td>
&lt;td style="text-align:center">Internal stress packages (CPU hog, memory hog, network hog, disk-IO) targeted at the Debian host OS of Flipkart’s VM fleet, invoked by the Hybrid VM Chaos extension when the workload doesn’t live in Kubernetes.&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align:center">Internal Flipkart Cloud Platform APIs&lt;/td>
&lt;td style="text-align:center">2024&lt;/td>
&lt;td style="text-align:center">Lifecycle APIs (start, stop, restart) for Flipkart’s VM fleet. The Hybrid VM Chaos extension calls these APIs to deliver VM-power experiments in parity with the Kubernetes-native experience.&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align:center">Internal Chaos Hub&lt;/td>
&lt;td style="text-align:center">2024&lt;/td>
&lt;td style="text-align:center">Private, Flipkart-internal catalog of pre-curated chaos experiment templates. Built so that tenants can publish, version, and consume reusable experiments across teams — the chaos-engineering analogue of an internal package registry.&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h2 id="synopsis">Synopsis&lt;/h2>
&lt;p>Flipkart is one of India’s leading digital commerce companies, running hundreds of tightly coupled microservices across Kubernetes and VM workloads that must withstand the traffic surges of Big Billion Days and other festive sales. The Central Reliability Engineering team built a centralized chaos engineering platform on LitmusChaos to convert chaos engineering from an afterthought into a continuous practice.&lt;/p>
&lt;p>On top of upstream Litmus, Flipkart engineered four high-leverage customizations: (1) a hybrid multi-tenancy model that combines the operational simplicity of a cluster-wide install with the isolation of a namespace-wide install; (2) a DaemonSet-based high-availability layer for chaos injection that runs one persistent injector per node and supports parallel sessions; (3) a first-class “Script Runner” fault that allows dynamic target selection and context chaining across steps in an experiment; and (4) a hybrid VM chaos extension that reuses the Litmus experience for non-Kubernetes workloads via Flipkart’s internal cloud APIs and Debian-host stress tooling.&lt;/p>
&lt;p>The result is operational readiness validated through live chaos drills ahead of Big Billion Days, a measurable shift in engineering culture from “prevention” to “practice,” and a steady stream of upstream contributions back to the LitmusChaos project.&lt;/p>
&lt;h2 id="organization">Organization&lt;/h2>
&lt;p>Flipkart is one of India’s leading digital commerce companies, serving hundreds of millions of customers across an ecosystem that includes flagship apparel, electronics, grocery, and fintech offerings. Its flagship event, Big Billion Days, is the largest e-commerce sales event in India and drives massive concurrent traffic across a tightly integrated microservices estate. Other high-scale moments — the Independence Day sale and Diwali sale among them — generate similar surges throughout the year.&lt;/p>
&lt;p>Flipkart’s engineering organization runs an extensive Kubernetes-as-a-Service platform alongside a large VM fleet, with internal central platform teams providing service mesh, networking, and database offerings to hundreds of downstream application teams. Reliability at the scale of an Indian retail tentpole event is therefore not a product-team concern — it is a horizontal platform discipline.&lt;/p>
&lt;h2 id="teams">Teams&lt;/h2>
&lt;p>Multiple teams collaborate to build, operate, and consume the chaos platform:&lt;/p>
&lt;ul>
&lt;li>
&lt;p>&lt;strong>Central Reliability Engineering&lt;/strong> — owns the chaos platform end-to-end: the centralized LitmusChaos control plane, tenant onboarding, the DaemonSet injection layer, the Script Runner fault, the hybrid VM chaos extension, the internal Chaos Hub, and upstream contributions back to Litmus.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Kubernetes-as-a-Service team&lt;/strong> — first tenant of the chaos platform; runs chaos drills against the Kubernetes control plane primitives consumed by every Flipkart workload.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Network Services and Service Mesh team&lt;/strong> — uses chaos to validate Layer-4/7 failure behavior, retry semantics, and circuit-breaker configurations across the mesh.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Central Database team&lt;/strong> — leverages the Script Runner fault to verify leader-election behavior in leader-follower database topologies during chaos drills.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Application teams&lt;/strong> — onboarded progressively after the central platform teams; consume curated experiments from the internal Chaos Hub.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>VM Infrastructure teams&lt;/strong> — use the hybrid VM chaos extension to obtain the same observability surface (Grafana, run history, resilience score) as Kubernetes-native consumers, despite running outside Kubernetes.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;h2 id="architecture-overview--goals">Architecture overview &amp;amp; Goals&lt;/h2>
&lt;h3 id="goals">Goals&lt;/h3>
&lt;ol>
&lt;li>
&lt;p>&lt;strong>Make chaos engineering a continuous practice, not an afterthought.&lt;/strong> Move from runbooks-on-paper to regularly rehearsed failure scenarios that feed back into incident response.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Operate one chaos platform for the whole company, safely.&lt;/strong> Provide a centralized control plane that hundreds of tenants can use without each tenant carrying operational burden — and without any tenant being able to touch another tenant’s workloads.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Eliminate self-inflicted experiment failures.&lt;/strong> Remove brittleness from the chaos infrastructure itself — specifically, helper-pod scheduling failures that were masking real reliability signal.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Express realistic, real-world failure scenarios.&lt;/strong> Support dynamic target selection and context chaining inside experiments so a single chaos run can express “find the leader, kill it, watch a new leader get elected” as one declarative workflow.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Treat VM workloads as first-class citizens.&lt;/strong> Reuse the Litmus experience for workloads that don’t run on Kubernetes — same UI, same probes, same observability — instead of building a parallel tool.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Validate operational readiness for Big Billion Days.&lt;/strong> Convert chaos drills into a measurable, repeatable pre-event sign-off rather than a manual exercise.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Contribute upstream.&lt;/strong> Push fixes and architectural patterns back into LitmusChaos so the broader CNCF community benefits and Flipkart avoids long-term fork maintenance.&lt;/p>
&lt;/li>
&lt;/ol>
&lt;h3 id="architecture-overview">Architecture Overview&lt;/h3>
&lt;p>At a high level, the architecture consists of a centralised control plane that is setup on a Kubernetes namespace or cluster that helps in designing and coordinating the chaos experiments. The chaos experiments are designed, implemented and certified and finally placed in a ChaosHub, which then are used by various teams in the organization to run them on the target Kubernetes clusters. Chaos experiment results are pushed back into the control plane as resilience scores, which can be used to create resilience testing trends and resilience posture reports for various teams’ consumption.&lt;/p>
&lt;p>The platform is organized into four logical layers:&lt;/p>
&lt;p>&lt;img src="./images/top-level-diagram.png" alt="">&lt;/p>
&lt;p>The platform is organized into four logical layers:&lt;/p>
&lt;p>&lt;img src="./images/layers.png" alt="">&lt;/p>
&lt;p>&lt;strong>Control Plane Layer.&lt;/strong> A single, centralized LitmusChaos installation — the operator, workflow controller, MongoDB backing store, and Grafana dashboards — lives in a dedicated central namespace and is operated by Central Reliability Engineering. There is one control plane per cluster footprint (staging, production), not one per tenant.&lt;/p>
&lt;p>&lt;strong>Tenant Subscriber Layer or a chaos agent.&lt;/strong> For each tenant team, a dedicated subscriber is deployed in the central namespace. The subscriber is scoped at install time to the set of tenant-owned namespaces it is allowed to target. The subscriber is the only Litmus identity that can dispatch chaos into a tenant’s namespaces — giving namespace-grade isolation without forcing each tenant to operate its own Litmus install.&lt;/p>
&lt;p>&lt;strong>Injection Layer.&lt;/strong> Instead of spawning ephemeral helper pods on-demand per experiment, Flipkart runs a DaemonSet (one replica per node, using the litmus-go image) as a long-lived, highly privileged injection surface. Experiment pods now offload target information to the node-local DaemonSet pod, which executes the chaos in parallel shell sessions. This supports concurrent chaos injection on the same node and eliminates a class of failures where the previous on-demand helper pod couldn’t be scheduled in time.&lt;/p>
&lt;p>&lt;strong>Extension Layer.&lt;/strong> Two domain-specific extensions plug into the platform: the Script Runner fault (a user-defined container running a user-defined script, whose stdout feeds the target list of any subsequent fault in the experiment), and the Hybrid VM Chaos extension (which uses Flipkart’s internal cloud-platform APIs for VM power operations and internal Debian stress packages for resource-level chaos). An internal Chaos Hub layers on top, letting tenants publish reusable experiment templates.&lt;/p>
&lt;p>Tenants interact with the platform almost entirely through the Litmus UI. They author or pick a template from the internal Chaos Hub, attach probes (including SSH-based probes for the VM surface), and run the experiment against namespaces or VMs they own. Resilience scores, run history, and Grafana dashboards present a single observability surface regardless of whether the target is a Kubernetes workload or a VM.&lt;/p>
&lt;h4 id="key-design-principles">Key Design Principles&lt;/h4>
&lt;ul>
&lt;li>
&lt;p>&lt;strong>Centralized control plane, federated trust.&lt;/strong> One operator and one workflow controller for the whole organization; isolation is enforced at the subscriber boundary, not by running N copies of Litmus.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Persistent, node-local injection.&lt;/strong> Trade ephemeral safety for scheduling determinism by accepting a long-lived privileged DaemonSet — a deliberate trade-off made only where the operational win (no scheduling failures during a chaos drill) outweighs the cost (privileged residency).&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Context chaining over static targeting.&lt;/strong> Chaos experiments are workflows, not single faults; the output of one step (“who is the leader?”) feeds the inputs of the next (“kill that pod”).&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>One experience, two surfaces.&lt;/strong> Kubernetes and VM chaos must look, feel, and report the same to the user. The UI, probes, and observability layer are surface-agnostic; the differences are pushed down into the extension layer.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Practice, then expand.&lt;/strong> Start with central platform teams that already run shared infrastructure; only then expand to application teams. Staging is the primary chaos surface; production chaos is selective and gated.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Upstream where possible.&lt;/strong> Local patches create long-term maintenance burden. Bug fixes and reusable patterns go back to LitmusChaos.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;h2 id="can-you-expand-on-why-you-are-using-those-projectsservices">Can you expand on why you are using those projects/services?&lt;/h2>
&lt;h3 id="why-litmuschaos">Why LitmusChaos&lt;/h3>
&lt;p>Before standardizing on Litmus, the team ran a detailed proof-of-concept across Chaos Monkey, Chaos Mesh, and LitmusChaos. Litmus won on four criteria that mattered for Flipkart’s context: it is Kubernetes-native end-to-end (aligning with the broader K8s-first direction), it ships a rich drag-and-drop UI that drives adoption beyond SREs, it is deeply extensible (custom faults were a non-negotiable requirement), and its resilience-probe model gave the team a path toward a measurable resiliency score per service.&lt;/p>
&lt;h3 id="from-single-tenant-to-hybrid-multi-tenancy">From single-tenant to hybrid multi-tenancy&lt;/h3>
&lt;p>The two install modes Litmus offers out of the box are cluster-wide (low operational burden, but no isolation) and namespace-wide (strong isolation, but every tenant has to operate its own Litmus install). At Flipkart’s scale — hundreds of teams across central platform and application areas — neither extreme works. The hybrid model takes the best of both: one centralized control plane (so no team has to run Litmus) plus a per-tenant subscriber pinned to that tenant’s namespaces (so isolation is enforced at the dispatch boundary). Litmus maintainer Karthik Satchitanand described this pattern as “a very nice model… a good balance” and has suggested it be documented upstream as a preferred mode of operation.&lt;/p>
&lt;h3 id="why-a-daemonset-instead-of-helper-pods">Why a DaemonSet instead of helper pods&lt;/h3>
&lt;p>Litmus’s default execution model spins up an on-demand helper pod per experiment. At scale, in busy staging clusters with active chaos drills, those helper pods can fail to schedule — producing a chaos infrastructure failure that masquerades as the chaos itself. The DaemonSet inverts this: one long-lived pod per node, with the chaos image already present, executes parallel chaos sessions invoked by the experiment pods. This makes injection deterministic at the cost of a persistent privileged surface — a trade-off Flipkart accepts in staging, where platform availability for chaos drills matters most.&lt;/p>
&lt;h3 id="why-a-script-runner-fault">Why a Script Runner fault&lt;/h3>
&lt;p>Real-world failure scenarios are rarely “delete pod X.” They are “find the current leader of a leader-follower system, delete it, and verify re-election.” Litmus’s built-in faults could not express dynamic target selection or pass state forward from one step to the next. The Script Runner is a first-class fault type that executes a user-defined container running a user-defined script; its stdout becomes the target list for any subsequent fault in the experiment, not just the immediate next one. The database team’s leader-election verification was the canonical use case that motivated this design.&lt;/p>
&lt;h3 id="why-a-hybrid-vm-chaos-extension">&lt;strong>Why a Hybrid VM Chaos extension&lt;/strong>&lt;/h3>
&lt;p>A meaningful slice of Flipkart’s estate runs on VMs, not Kubernetes. Building a parallel chaos tool for that surface would have fragmented the user experience and split the observability story. Instead, the team rebuilt the existing VM Power experiment against Flipkart’s internal cloud platform APIs (start/stop/restart) and added resource-level stress chaos (CPU hog, memory hog, network hog, disk-level) using internal Debian stress packages. Because the experiments are still driven by Litmus, VM teams get the same Grafana exporters, the same experiment run history, the same resilience score tab, and the same probe model (with custom SSH-based probes for pre- and post-experiment infrastructure checks) that Kubernetes users get.&lt;/p>
&lt;h2 id="what-has-worked-well">What has worked well?&lt;/h2>
&lt;ul>
&lt;li>
&lt;p>&lt;strong>Hybrid multi-tenancy.&lt;/strong> The centralized-control-plane plus per-tenant-subscriber pattern absorbed onboarding for many tenants with effectively zero per-tenant infra burden, while still preventing cross-tenant blast radius. Recognized by upstream Litmus maintainers as a candidate preferred-mode pattern.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>DaemonSet injection.&lt;/strong> Eliminated experiment failures caused by helper-pod scheduling issues in staging. Chaos drills now fail because the system under test failed — not because the chaos infrastructure couldn’t schedule a pod.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Script Runner.&lt;/strong> Unlocked previously inexpressible scenarios such as leader-election verification. Context chaining turned chaos experiments into proper workflows rather than single-shot fault injections.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Unified VM and Kubernetes experience.&lt;/strong> Reusing Grafana exporters, run history, and the resilience score tab gave VM teams a first-class user experience and avoided fragmenting the chaos tooling landscape inside Flipkart.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Pre-event readiness validation.&lt;/strong> Chaos drills validated operational readiness ahead of the recent Big Billion Days sale, confirmed that CPU thresholds trigger the right alerts, that network failures surface correctly as 5xx spikes, and that weak links in deployment specs and alert configurations could be fixed before they became real incidents.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Cultural shift.&lt;/strong> Engineering teams moved from “prevention” (try not to fail) to “practice” (rehearse failure), and from “panic” to “procedure” during incident response. Chaos scenarios now form the foundation of incident runbooks.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Internal Chaos Hub.&lt;/strong> Tenant-published experiment templates accelerate reuse across teams — the chaos engineering analogue of an internal package registry.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;h2 id="what-has-not-worked-well">What has not worked well?&lt;/h2>
&lt;ul>
&lt;li>
&lt;p>&lt;strong>Privileged DaemonSet residency.&lt;/strong> Persistent, highly privileged pods on every node are an accepted trade-off in staging but constrain how aggressively the same pattern can be deployed in production. Reducing the blast radius of the injection layer remains an open problem.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Multi-tenant gaps in upstream Litmus.&lt;/strong> Several places in upstream Litmus assumed single-tenant scope — most visibly, probe-name uniqueness enforced globally instead of project-scoped (a MongoDB index issue). These needed upstream fixes before the multi-tenant model could behave correctly.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Terminology drift across the project.&lt;/strong> The renaming of “experiment” to “fault” in parts of Litmus left behind frontend/backend mismatches — e.g., experiment pod-block visibility — that required cleanup contributions.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Heterogeneous VM hosts.&lt;/strong> The stress chaos extension is currently scoped to Debian hosts; broadening to additional host OSes will mean factoring out the OS-specific layer.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Production chaos is still selective.&lt;/strong> Most chaos still runs in staging. Building enough confidence (and enough guardrails) to run the full chaos surface in production is an ongoing journey.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Custom image registry support.&lt;/strong> A long-standing (year-old) issue prevented the custom image registry setting from flowing through to the generated workflow YAML — a blocker for air-gapped and internal-registry deployments. Required a Flipkart upstream fix to resolve.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;h2 id="what-sort-of-glue-have-you-had-to-develop">What sort of &amp;ldquo;glue&amp;rdquo; have you had to develop?&lt;/h2>
&lt;ul>
&lt;li>
&lt;p>&lt;strong>Per-tenant subscriber onboarding pipeline.&lt;/strong> Tooling and a defined onboarding flow so that adding a new tenant means deploying a scoped subscriber, registering its namespaces, and attaching it to the central control plane — without any tenant operating its own Litmus install.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>DaemonSet injection runtime.&lt;/strong> Replaced the on-demand helper-pod model with a long-lived, node-local DaemonSet (using the litmus-go image) that accepts target information from experiment pods and executes parallel chaos sessions in independent shells.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Script Runner fault.&lt;/strong> New first-class fault type backed by a user-defined container image running a user-defined script, with stdout captured as structured context that any subsequent fault in the experiment can consume — not just the immediate next step.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Hybrid VM Chaos extension.&lt;/strong> A reimplementation of VM Power on top of Flipkart’s internal cloud APIs, plus a stress-chaos suite (CPU, memory, network, disk) built on internal Debian stress packages, plus custom SSH-based probes that mirror the Kubernetes probe experience for VM workloads.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Internal Chaos Hub publishing pipeline.&lt;/strong> A workflow that lets tenants publish reusable experiment templates to a private, Flipkart-internal catalog and pull them down into their own experiments.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Upstream fixes packaged as patches and PRs.&lt;/strong> Probe-name uniqueness (MongoDB index), probe-name reuse-after-deletion (filtration), experiment-update duplicate-name validation, UI consistency (experiment-completion icon, GCP/Azure fault logos), custom image registry, and pod-block visibility — each shipped back to the LitmusChaos project.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;h2 id="how-did-the-architecture-evolve">How did the Architecture Evolve**&lt;/h2>
&lt;h3 id="journey">Journey&lt;/h3>
&lt;ul>
&lt;li>
&lt;p>&lt;strong>Phase 1 — Reactive runbooks.&lt;/strong> Failure modes existed only on paper. Runbooks were written but not practiced. Chaos engineering was an afterthought.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Phase 2 — Tool selection.&lt;/strong> Detailed PoC across Chaos Monkey, Chaos Mesh, and LitmusChaos. Litmus selected on Kubernetes-native design, drag-and-drop UI, extensibility, and resilience-probe model.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Phase 3 — Centralization.&lt;/strong> Stood up a single centralized Litmus control plane and built the per-tenant subscriber model to hit multi-tenancy without forcing tenants to run their own installs.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Phase 4 — Hardening the injection layer.&lt;/strong> Replaced ephemeral helper pods with the DaemonSet HA model after observing scheduling-induced experiment failures in staging.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Phase 5 — Expressing real scenarios.&lt;/strong> Added the Script Runner fault to unlock dynamic target selection and context chaining (e.g., leader-election verification for the database team).&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Phase 6 — Beyond Kubernetes.&lt;/strong> Built the Hybrid VM Chaos extension so VM teams get the same Litmus experience and observability surface as Kubernetes teams.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Phase 7 — Internalize and contribute back.&lt;/strong> Stood up the internal Chaos Hub for cross-team reuse and began the upstream contribution cadence back to LitmusChaos.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Phase 8 — Pre-event validation.&lt;/strong> Used the platform to validate operational readiness ahead of Big Billion Days; chaos drills now feed incident runbooks directly.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;h3 id="key-lessons">Key Lessons&lt;/h3>
&lt;ul>
&lt;li>
&lt;p>&lt;strong>Hybrid is the right answer for multi-tenancy at scale.&lt;/strong> Neither cluster-wide nor namespace-wide install models fit a hundreds-of-teams organization on their own. A centralized control plane plus per-tenant subscribers is the productive middle.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Chaos infrastructure must be more reliable than the systems it tests.&lt;/strong> Every false negative — a chaos experiment that failed for infrastructure reasons — erodes trust in the practice. The DaemonSet HA model exists because that trust was real and worth defending.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Failure modes are workflows, not single faults.&lt;/strong> Dynamic target selection and context chaining (Script Runner) were not nice-to-have — they were the difference between toy chaos and useful chaos.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Treat non-Kubernetes workloads as first-class.&lt;/strong> Pushing VM chaos through the same Litmus experience and observability surface kept the cultural and tooling story unified.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Start with central platform teams.&lt;/strong> Teams that already run shared infrastructure (Kubernetes-as-a-Service, service mesh, central databases) had the runbooks and the motivation to be the first chaos consumers. Application teams followed.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Documentation and discipline.&lt;/strong> Clear hypotheses before the experiment, clear results after; this is what turns a one-off chaos run into reusable organizational knowledge.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Don’t roll chaos out everywhere at once.&lt;/strong> Pilot, learn, then expand. The internal Chaos Hub exists because the expansion phase needed reusable artifacts, not from-scratch experiments per team.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Recovery time matters as much as prevention.&lt;/strong> You can’t prevent every failure, but you can systematically improve how quickly you recover from it — and chaos drills are the most honest measurement of that.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Contribute upstream.&lt;/strong> Local patches become long-term debt; upstream contributions become permanent improvements for everyone, including Flipkart’s future self.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;h3 id="whats-next-for-your-architecture">What&amp;rsquo;s next for your architecture?&lt;/h3>
&lt;ul>
&lt;li>
&lt;p>&lt;strong>Production chaos at scale.&lt;/strong> Expand selective production chaos runs into a more regular, more comprehensive practice — with new guardrails for the injection layer to reduce the privileged surface area.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Broader host OS support for VM chaos.&lt;/strong> Factor out the OS-specific stress layer so the hybrid VM chaos extension is not tied to Debian.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Deeper integration with incident runbooks.&lt;/strong> Close the loop so that every documented incident generates (or updates) a corresponding chaos scenario.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Resiliency score as a service-level metric.&lt;/strong> Promote the Litmus resilience score from “informational” to a tracked, dashboarded, team-level reliability KPI.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Continued upstream contribution.&lt;/strong> Push the hybrid multi-tenancy pattern, the DaemonSet HA injection model, and the Script Runner fault toward generalization in upstream LitmusChaos for the broader CNCF community.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Chaos in CI/CD.&lt;/strong> Move from out-of-band chaos drills to chaos gates that run as part of the deployment pipeline for high-tier services.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Observability and AIOps.&lt;/strong> Use the rich telemetry produced by repeated chaos runs to drive AI-assisted blast-radius prediction and pre-event readiness scoring for events like Big Billion Days.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;h2 id="community-contributions">Community Contributions&lt;/h2>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th style="text-align:left">Contribution&lt;/th>
&lt;th style="text-align:left">Details&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td style="text-align:left">&lt;strong>Probe scoping fix&lt;/strong>&lt;/td>
&lt;td style="text-align:left">Made probe-name uniqueness project-scoped instead of globally scoped (MongoDB index fix), enabling true multi-tenant use of probes in LitmusChaos.&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align:left">&lt;strong>Probe name reuse&lt;/strong>&lt;/td>
&lt;td style="text-align:left">Filtration fix that allows probe names to be reused after deletion — removed a stale-record blocker for teams iterating on probe definitions.&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align:left">&lt;strong>Experiment update bug&lt;/strong>&lt;/td>
&lt;td style="text-align:left">Fixed a duplicate-name validation that was incorrectly firing on tag/description-only edits when updating an experiment.&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align:left">&lt;strong>UI consistency fixes&lt;/strong>&lt;/td>
&lt;td style="text-align:left">Corrected the experiment-completion icon; fixed fault-card logos for GCP and Azure faults that were rendering the generic Litmus logo.&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align:left">&lt;strong>Custom image registry&lt;/strong>&lt;/td>
&lt;td style="text-align:left">Fixed long-standing (year-old) issue so the custom image registry setting correctly reflects in the generated workflow YAML — essential for air-gapped and internal-registry deployments.&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align:left">&lt;strong>Pod-block visibility&lt;/strong>&lt;/td>
&lt;td style="text-align:left">Fixed experiment pod-block visibility on the portal; resolved terminology drift between frontend and backend after the “experiment → fault” rename.&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align:left">&lt;strong>Architecture pattern&lt;/strong>&lt;/td>
&lt;td style="text-align:left">Hybrid multi-tenant architecture (centralized operator + per-tenant subscriber) recognized by Litmus maintainers as a candidate preferred mode of operation to be documented upstream.&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td style="text-align:left">&lt;strong>Conference contribution&lt;/strong>&lt;/td>
&lt;td style="text-align:left">Case study presented at KubeCon India keynote (2026), sharing the multi-tenant chaos platform pattern with the broader CNCF community.&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h2 id="voices-from-the-team">Voices from the team&lt;/h2>
&lt;p>&lt;em>“We moved from prevention to practice; instead of just trying to prevent issues, we actively practice handling them. And for incident response, we’ve gone from panic to procedure.”&lt;/em>&lt;/p>
&lt;p>— Khushi Tiwari, Software Developer, Central Reliability team&lt;/p>
&lt;p>&lt;em>“Implementing Litmus chaos at the kind of scale we operate at, and enabling the platform teams that directly impact hundreds of development teams — that’s been a very rewarding journey.”&lt;/em>&lt;/p>
&lt;p>— Aditya, Software Developer, Central Reliability team&lt;/p>
&lt;p>&lt;em>“The scenarios we test become the foundation for our incident runbooks, which makes the actual incident response much better.”&lt;/em>&lt;/p>
&lt;p>— Hashith, Site Reliability Engineer&lt;/p>
&lt;h2 id="discussion">Discussion&lt;/h2>
&lt;p>End user members may participate in the &lt;a href="https://github.com/cncf/tab/discussions/135">discussion thread&lt;/a> for this architecture.&lt;/p></description></item><item><title>Architectures: ZEISS Vision Care - Order Fulfillment</title><link>https://deploy-preview-36--cncfarchitecture.netlify.app/architectures/zeiss/</link><pubDate>Tue, 17 Mar 2026 00:00:00 +0000</pubDate><guid>https://deploy-preview-36--cncfarchitecture.netlify.app/architectures/zeiss/</guid><description>
&lt;h2 id="relevant-cncf-projects">Relevant CNCF projects&lt;/h2>
&lt;div class="row row-cols-1 row-cols-md-3 mb-4">
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Kubernetes
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/kubernetes/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/kubernetes/icon/color/kubernetes-icon-color.svg" alt="kubernetes logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2020&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> 1.32.3&lt;/li>
&lt;/ul>
&lt;p>Hosts &amp;gt; 200 microservices supporting order fulfillment processes on managed Kubernetes. Provides the core compute platform for containerized services.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Dapr
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/dapr/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/dapr/stacked/color/dapr-stacked-color.svg" alt="dapr logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2020&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> 1.17.0&lt;/li>
&lt;/ul>
&lt;p>Provides common building blocks like service invocation, pub/sub, and state management across microservices; vendor-neutral abstractions enable portability across cloud providers.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
KEDA
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/keda/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/keda/icon/color/keda-icon-color.svg" alt="keda logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2021/2022&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> 2.19.0&lt;/li>
&lt;/ul>
&lt;p>Event-driven scaling. KEDA acts as an event-driven scaler; examples of triggers include message-broker queue depth and resource utilization.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
OpenTelemetry
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/opentelemetry/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/opentelemetry/icon/color/opentelemetry-icon-color.svg" alt="opentelemetry logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2020&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> Collector Contrib 0.145.0&lt;/li>
&lt;/ul>
&lt;p>Provides consistent instrumentation and exports telemetry to multiple targets.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Helm
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/helm/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/helm/icon/color/helm-icon-color.svg" alt="helm logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2020&lt;/li>
&lt;/ul>
&lt;p>Package management and templating for Kubernetes deployments.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;h2 id="organization">Organization&lt;/h2>
&lt;p>ZEISS Vision Care produces spectacle lenses, instruments for refraction, and glasses adjustment equipment. Often, lenses are manufactured to an individual consumer&amp;rsquo;s prescription, effectively a batch size of one, which makes order fulfillment a multi-step coordination process.&lt;/p>
&lt;p>Our Business Enablement &amp;amp; IT team develops, designs, and operates the order fulfillment platform that underpins this process.&lt;/p>
&lt;h2 id="synopsis">Synopsis&lt;/h2>
&lt;p>We are reworking the order fulfillment process using a greenfield approach to modernize core systems. Our goal is a reliable, scalable platform that can evolve with business needs while remaining cost-efficient. The platform supports several key capabilities:&lt;/p>
&lt;ul>
&lt;li>Order routing: decide where the order should be produced.&lt;/li>
&lt;li>Order document generation: generate the necessary manufacturing and shipping documents for the order.&lt;/li>
&lt;li>Logistics routing: decide how to ship the order to the customer.&lt;/li>
&lt;li>Additional auxiliary domains as required.&lt;/li>
&lt;/ul>
&lt;h2 id="architecture-overview--goals">Architecture overview &amp;amp; Goals&lt;/h2>
&lt;h3 id="goals">Goals&lt;/h3>
&lt;p>The architecture is designed for future-proofing and scale. By leveraging event-driven scaling with KEDA and decoupled microservices via Dapr, the system is built to seamlessly absorb high-volume, global order loads as new processes are continuously migrated to the new platform.&lt;/p>
&lt;p>&lt;strong>Key Requirements:&lt;/strong>&lt;/p>
&lt;ul>
&lt;li>Modern cloud-based infrastructure&lt;/li>
&lt;li>High reliability and scalability&lt;/li>
&lt;li>Maintainable and extensible&lt;/li>
&lt;li>Cost-effective operations&lt;/li>
&lt;/ul>
&lt;h3 id="architecture-overview">Architecture Overview&lt;/h3>
&lt;p>&lt;img src="./images/solutionArchitecture.svg" alt="Architecture">&lt;/p>
&lt;h4 id="data--storage-strategy">Data &amp;amp; Storage Strategy&lt;/h4>
&lt;p>The platform uses Azure-managed data services as backing stores:&lt;/p>
&lt;ul>
&lt;li>&lt;strong>MSSQL&lt;/strong>: Transactional order data and relational schemas&lt;/li>
&lt;li>&lt;strong>Cosmos DB&lt;/strong>: Scaled state management and cross-region replication&lt;/li>
&lt;li>&lt;strong>Azure Blob Storage&lt;/strong>: Order documents and manufacturing files&lt;/li>
&lt;li>&lt;strong>Redis&lt;/strong>: Caching operations to improve latency and throughput&lt;/li>
&lt;/ul>
&lt;p>Dapr&amp;rsquo;s state abstraction layer is used for Cosmos DB, Azure Blob Storage, and Redis, decoupling microservices from those storage backends and enabling migrations without application-level changes. For Azure Blob Storage, we also use Dapr&amp;rsquo;s blob binding to interact with data, in addition to the state abstraction layer.&lt;/p>
&lt;h4 id="messaging--asynchronous-communication">Messaging &amp;amp; Asynchronous Communication&lt;/h4>
&lt;p>Azure Service Bus serves as the central message broker for asynchronous processes. Services publish and subscribe to topics via Dapr&amp;rsquo;s pub/sub building block, enabling loose coupling between applications. This event-driven approach provides resilience and allows each service to scale independently based on demand.&lt;/p>
&lt;h4 id="network--service-discovery">Network &amp;amp; Service Discovery&lt;/h4>
&lt;p>Services use Dapr&amp;rsquo;s service invocation building block instead of hardcoded endpoints, enabling resilience and the ability to replace or upgrade service implementations without changing callers. External traffic is routed to services via Ingress NGINX.&lt;/p>
&lt;h4 id="cicd--deployment">CI/CD &amp;amp; Deployment&lt;/h4>
&lt;p>Azure DevOps Pipelines automate building, testing, and deploying applications. We use a single, centralized Helm chart and store deployment configuration in Git as the single source of truth; the pipeline generates environment- and service-specific &lt;code>values.yaml&lt;/code> files and deploys each service as its own Helm release to Kubernetes.&lt;/p>
&lt;h2 id="can-you-expand-on-why-you-are-using-those-projectsservices">Can you expand on why you are using those projects/services?&lt;/h2>
&lt;p>We rely heavily on CNCF projects and open-source tooling to form the backbone of our platform:&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Kubernetes (AKS)&lt;/strong> &lt;em>(Using since 2020)&lt;/em>: Hosts &amp;gt; 200 microservices supporting order fulfillment workflows. It provides the core compute platform for containerized services, offering a flexible model that supports multiple frameworks, programming languages, and dynamic scaling.&lt;/li>
&lt;li>&lt;strong>Dapr&lt;/strong> &lt;em>(Using since 2020)&lt;/em>: Provides common building blocks like service invocation, pub/sub, and state management across microservices. Dapr enables vendor-neutral capabilities, addressing service discovery and maintaining portability.&lt;/li>
&lt;li>&lt;strong>KEDA&lt;/strong> &lt;em>(Using since 2021/2022)&lt;/em>: Event-driven scaling based on Azure Service Bus queue depth and CPU/memory utilization. This allows the system to scale aggressively to match real-time demand while running economically during quieter periods.&lt;/li>
&lt;li>&lt;strong>Helm&lt;/strong>: Package management and templating. Charts are stored in Git, enabling reproducible deployments across environments since the project&amp;rsquo;s inception.&lt;/li>
&lt;li>&lt;strong>Ingress NGINX&lt;/strong> &lt;em>(currently in use, pending replacement – see Future Outlook)&lt;/em>: External traffic routing and load balancing.&lt;/li>
&lt;li>&lt;strong>OpenTelemetry Collector&lt;/strong> &lt;em>(Using since 2020)&lt;/em>: Provides consistent instrumentation and exports telemetry to multiple targets. It enables distributed tracing and metrics collection across microservices, ensuring observability and performance monitoring.&lt;/li>
&lt;/ul>
&lt;h2 id="what-has-worked-well">What has worked well?&lt;/h2>
&lt;p>Kubernetes, Helm, and KEDA have proven reliable and are widely used.&lt;/p>
&lt;p>&lt;strong>Scaling to Zero and Back:&lt;/strong>
We initially attempted to scale services to 0 replicas with KEDA to minimize costs, but this introduced operational challenges: delayed data flows during testing when pods needed to start up, and frequent scale churn during traffic pauses between messages. We learned that setting a minimum replica count for baseline load while scaling out for peaks was much more cost-effective and reliable for our specific workload patterns.&lt;/p>
&lt;p>&lt;strong>The Advantage of Abstraction:&lt;/strong>
A major architectural risk early on was building the entire system on Dapr (starting at pre-1.0 release 0.7.0). Early adoption carried organizational risk and we initially faced instability with actors under heavy load. Over time, those issues were fully resolved. The decision proved highly beneficial: Dapr’s maturity and vendor-neutral approach validated the initial decision, giving the platform extreme portability, flexibility, and saving custom boilerplate.&lt;/p>
&lt;p>&lt;strong>Platform Evolution:&lt;/strong>
Dapr is consistently evolving, allowing us to streamline our platform by replacing specific SDKs with built-in functionalities over time. For instance, we are transitioning from Azure App Configuration to Dapr&amp;rsquo;s Configuration Building Block. In hindsight, we would have standardized on CNCF native components sooner (e.g., migrating earlier to OpenTelemetry Collector and a CNCF ingress solution) to avoid replacing vendor-specific SDKs mid-project.&lt;/p>
&lt;p>&lt;strong>Data Ownership and Boundaries:&lt;/strong>
A critical lesson was the strict enforcement of data ownership. In a microservices architecture with over 200 services, we learned that clearly defining which service owns which data is non-negotiable. We found that any direct data access between services, bypassing their dedicated APIs, inevitably leads to tight coupling and maintenance challenges. Adhering to Domain-Driven Design (DDD) principles, where each service exposes its data only through a well-defined API, was essential for maintaining a scalable and evolvable system. This prevented a &amp;ldquo;distributed monolith&amp;rdquo; and ensured long-term architectural integrity.&lt;/p>
&lt;h2 id="what-sort-of-glue-have-you-had-to-develop">What sort of &amp;ldquo;glue&amp;rdquo; have you had to develop?&lt;/h2>
&lt;p>Since we had a greenfield start, we were not constrained by legacy endpoints or migration paths. However, managing over 200 microservices required strict boundaries and standardized communication patterns. We heavily utilized Domain-Driven Design (DDD) principles—specifically &lt;strong>Bounded Contexts&lt;/strong> to ensure each microservice owns its data and domain logic.&lt;/p>
&lt;p>To enforce these boundaries and standardize the &amp;ldquo;glue&amp;rdquo; between services, we developed:&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Standardized Helm Templates&lt;/strong>: A unified set of Helm charts that abstract away the complexity of Kubernetes manifests and Dapr sidecar configuration. Developers provide application-specific KEDA &lt;code>ScaledObject&lt;/code> definitions and Dapr component definitions.&lt;/li>
&lt;li>&lt;strong>Common Libraries&lt;/strong>: While Dapr abstracts away many infrastructure concerns, we built thin, language-specific wrappers around the Dapr SDKs to enforce internal logging and error-handling standards.&lt;/li>
&lt;/ul>
&lt;h2 id="impact--results">Impact &amp;amp; Results&lt;/h2>
&lt;p>By adopting this cloud-native stack, we have built a highly scalable and future-ready order fulfillment system. A key driver of this success has been our extensive use of Dapr, which not only significantly reduced boilerplate code but also provided us with a high degree of vendor neutrality. This abstraction layer means we are not tightly coupled to specific cloud providers&amp;rsquo; SDKs, enabling an architecture that is portable, flexible, and robust enough for long-term growth.&lt;/p>
&lt;h2 id="whats-next-for-your-architecture">What&amp;rsquo;s next for your architecture?&lt;/h2>
&lt;p>We are constantly investigating how to run our services as efficiently and economically as possible. A near-term priority is replacing our existing Ingress NGINX setup. Because the Kubernetes project has &lt;a href="https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement/">officially announced the retirement of the ingress-nginx project&lt;/a>, we are actively evaluating alternatives—including NGINX Gateway Fabric, Envoy Gateway, and Traefik—while striving to preserve our routing behavior, TLS automation, and operational stability. Transitioning to the Gateway API is a key step in future-proofing our external traffic routing.&lt;/p>
&lt;h2 id="discussion">Discussion&lt;/h2>
&lt;p>End user members may participate in the &lt;a href="https://github.com/cncf/tab/discussions/135">discussion thread&lt;/a> for this architecture.&lt;/p></description></item><item><title>Architectures: End-to-End Cloud Native Telco Platform Automation at Swisscom</title><link>https://deploy-preview-36--cncfarchitecture.netlify.app/architectures/swisscom-cloud-native-telco/</link><pubDate>Mon, 16 Mar 2026 00:00:00 +0000</pubDate><guid>https://deploy-preview-36--cncfarchitecture.netlify.app/architectures/swisscom-cloud-native-telco/</guid><description>
&lt;h2 id="relevant-projects">Relevant Projects&lt;/h2>
&lt;h3 id="cncf-projects">CNCF Projects&lt;/h3>
&lt;div class="row row-cols-1 row-cols-md-3 mb-4">
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Kubernetes
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/kubernetes/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/kubernetes/icon/color/kubernetes-icon-color.svg" alt="kubernetes logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>
&lt;p>&lt;strong>Using since:&lt;/strong> 2021&lt;/p>
&lt;p>The Kubernetes API is the database backend and control plane of the entire automation platform. It acts as the runtime for all CNFs, operators, and platform services. Custom Resource Definitions extend the API to cover telco-specific concerns like IPAM, DNS, and network function configuration.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Flux
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/flux/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/flux/icon/color/flux-icon-color.svg" alt="flux logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>
&lt;p>&lt;strong>Using since:&lt;/strong> 2022&lt;/p>
&lt;p>Flux is the GitOps engine for continuous reconciliation. It monitors Git repositories and synchronizes all desired state — CNF deployment manifests, Custom Resources, DNS endpoints, certificate requests, IP claims, and test definitions — into Kubernetes clusters.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
cert-manager
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/cert-manager/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/cert-manager/icon/color/cert-manager-icon-color.svg" alt="cert-manager logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>
&lt;p>&lt;strong>Using since:&lt;/strong> 2023&lt;/p>
&lt;p>Automated certificate lifecycle management integrated with Swisscom&amp;rsquo;s internal PKI. Certificate requests are expressed as Kubernetes CRs, reconciled by Flux, and managed by cert-manager. Private keys never leave the cluster.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Headlamp
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/headlamp/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/headlamp/icon/color/headlamp-icon-color.svg" alt="headlamp logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>
&lt;p>&lt;strong>Using since:&lt;/strong> 2025&lt;/p>
&lt;p>Kubernetes dashboard for the management cluster, providing cluster visibility, RBAC-based access control, a CRD documentation browser, and extensible plugin system. Swisscom is listed as an official Headlamp adopter.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
SDC (Schema Driven Configuration)
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://docs.sdcio.dev/">&lt;img src="https://landscape.cncf.io/logos/c5f5fbc1c0b595d28bcfc1f443d46b7c0e4aa4c0dc9f239b0e0fa90ca3a4fda4.svg" alt="sdc logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>
&lt;p>&lt;strong>Using since:&lt;/strong> 2024&lt;/p>
&lt;p>Used as the Config Sync Operator to push assembled configurations to CNFs. SDC enables vendor-agnostic, declarative configuration management using YANG schemas and NETCONF/gNMI protocols. Swisscom adopted SDC as its strategic configuration management solution and actively contributes features including config blame, drift detection, validation, testing compatibility with CNFs, and NETCONF Actions support. Swisscom is listed as an official SDC adopter.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
CoreDNS
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/coredns/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/coredns/icon/color/coredns-icon-color.svg" alt="coredns logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>
&lt;p>&lt;strong>Using since:&lt;/strong> 2021&lt;/p>
&lt;p>In-cluster DNS service discovery for Kubernetes services. Also used with conditional forwarding to route queries for private 5G zones (e.g., 3gppnetwork.org) to the authoritative PowerDNS servers.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
ExternalDNS
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://kubernetes-sigs.github.io/external-dns/latest/">&lt;img src="https://kubernetes-sigs.github.io/external-dns/latest/docs/img/external-dns.png" alt="externaldns logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>
&lt;p>&lt;strong>Using since:&lt;/strong> 2023&lt;/p>
&lt;p>Kubernetes-native automation of DNS records in PowerDNS using Custom Resources and annotations.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
MetalLB
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/metallb/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/metallb/icon/color/metallb-icon-color.svg" alt="metallb logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>
&lt;p>&lt;strong>Using since:&lt;/strong> 2022&lt;/p>
&lt;p>Load balancer for bare-metal Kubernetes clusters. MetalLB IP address pools are managed via KRM, with IP addresses dynamically allocated from NetBox via the NetBox Operator.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Kubebuilder / controller-runtime
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://github.com/kubernetes-sigs/kubebuilder">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/kubernetes/icon/color/kubernetes-icon-color.svg" alt="kubernetes logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>
&lt;p>&lt;strong>Using since:&lt;/strong> 2022&lt;/p>
&lt;p>Scaffolding framework and libraries for building custom Kubernetes operators. Used to build all domain-specific operators for CNF configuration abstraction, IPAM integration, config synchronization, and DNS automation.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;h3 id="other-projects">Other Projects&lt;/h3>
&lt;div class="row row-cols-1 row-cols-md-3 mb-4">
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
PowerDNS
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.powerdns.com">&lt;img src="https://upload.wikimedia.org/wikipedia/commons/9/9e/Logo_of_PowerDNS.svg" alt="powerdns logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>
&lt;p>&lt;strong>Using since:&lt;/strong> 2023&lt;/p>
&lt;p>Authoritative DNS server supporting automation of advanced resource records (NAPTR, SRV) required for 5G/SIP via ExternalDNS.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
NetBox Operator
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://github.com/netbox-community/netbox-operator">&lt;img src="https://raw.githubusercontent.com/netbox-community/netbox/main/docs/netbox_logo_light.svg" alt="netbox logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>
&lt;p>&lt;strong>Using since:&lt;/strong> 2024&lt;/p>
&lt;p>Kubernetes operator for IPAM integration, open-sourced by Swisscom. Brings IPAM into the Kubernetes API with a claim model inspired by PersistentVolumeClaims — dynamically allocating IP prefixes and addresses from NetBox, managing their lifecycle through Kubernetes garbage collection, and supporting sticky IPs for disaster recovery.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
NetBox
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://github.com/netbox-community/netbox">&lt;img src="https://raw.githubusercontent.com/netbox-community/netbox/main/docs/netbox_logo_light.svg" alt="netbox logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>
&lt;p>&lt;strong>Using since:&lt;/strong> 2023&lt;/p>
&lt;p>IP Address Management (IPAM) and network infrastructure modeling. Used as the IPAM backend for dynamic IP allocation across all CNFs and platform services.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;h2 id="tldr-or-synopsis">TL;DR or Synopsis&lt;/h2>
&lt;p>Swisscom has built a cloud native telco platform for the end-to-end automation of its 5G standalone core network and cross-domain resource orchestration. The architecture replaces traditional imperative network management (Jenkins pipelines, Ansible playbooks) with a fully declarative, Kubernetes-native automation model driven by GitOps and the Kubernetes Resource Model (KRM).&lt;/p>
&lt;p>A mobile core development environment contains approximately 2,000 pods with over 5,000 interdependent configuration parameters across Cloud-Native Network Functions (CNFs) such as UPF, SMF, AMF, UDM, UDR, BSF, NRF, NSSF, and AUSF. Engineers express high-level intents as Kubernetes Custom Resources; custom operators dynamically assemble full configurations at runtime — fetching IP addresses from IPAM, secrets from Vault, certificates from PKI, and infrastructure details from the cluster.&lt;/p>
&lt;p>While the 5G core is the primary domain, the orchestration framework extends across multiple network domains and infrastructure services, applying the same intent-based automation patterns consistently.&lt;/p>
&lt;h2 id="organisation">Organisation&lt;/h2>
&lt;p>Swisscom is the leading Telecommunications/ISP and ICT company and offers mobile, Internet and TV products, as well as comprehensive IT and digital services to private and business customers.
Swisscom&amp;rsquo;s expertise in cloud native technologies is well-established, as evidenced by its status as a former Gold member and Management Board member of the Cloud Foundry Foundation, along with its certification for Cloud Foundry.
Additionally, Swisscom demonstrates a strong commitment to the Open-Source community, having been a CNCF Silver Member for several years and serving as a Kubernetes Certified Service Provider (KCSP) partner.
Our skilled employees have delivered numerous talks and presentations at prestigious events such as KubeCon, Cloud Native Zürich, Swiss Cloud Native Day, KCD Suisse Romande, ContainerDays.&lt;/p>
&lt;p>The company has embarked on a strategic transformation from a traditional telecom operator (&amp;ldquo;Telco&amp;rdquo;) to a technology company (&amp;ldquo;TechCo&amp;rdquo;) with 5G as a central driver.
Swisscom operates an extensive 5G Non-Standalone (NSA) network covering 99% of the Swiss population. The cloud native platform described here powers the 5G Standalone (SA) core.&lt;/p>
&lt;h2 id="teams">Teams&lt;/h2>
&lt;p>Multiple teams collaborate on this platform:&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Cloud Native Resource Orchestration&lt;/strong> — creates a robust framework for orchestrating cloud-native resources such as CNFs, IPAM, Networks, DNS, Kubernetes Clusters, and more. Designs and operates GitOps pipelines, builds Kubernetes operators, and develops the management cluster UI/UX.&lt;/li>
&lt;li>&lt;strong>Mobile Cloud Native Engineering&lt;/strong> — designs, implements, and operates the cloud native 5G core platform, including GitOps pipelines, Kubernetes operators, and network function lifecycle management.&lt;/li>
&lt;li>&lt;strong>DNS Engineering&lt;/strong> — builds and operates the highly reliable cloud native DNS service underpinning the 5G core and other infrastructures.&lt;/li>
&lt;li>&lt;strong>Network Engineering&lt;/strong> — provides IPAM and Network-as-a-Service.&lt;/li>
&lt;li>&lt;strong>Platform &amp;amp; Developer Experience&lt;/strong> — manages Kubernetes clusters and builds developer tooling.&lt;/li>
&lt;/ul>
&lt;h2 id="architecture-overview--goals">Architecture overview &amp;amp; Goals&lt;/h2>
&lt;h3 id="goals">Goals&lt;/h3>
&lt;ol>
&lt;li>&lt;strong>Full GitOps for the 5G Core&lt;/strong> — Extend GitOps beyond CNF deployment to include network function configuration, certificate management, DNS record provisioning, IP address management, and testing — achieving continuous reconciliation across all layers.&lt;/li>
&lt;li>&lt;strong>Declarative, Intent-Based Configuration&lt;/strong> — Replace static, low-level configuration manifests with abstract, intent-driven Custom Resources. Engineers specify &lt;em>what&lt;/em> they want using a high level intent (e.g., &amp;ldquo;this CNF needs an IP address from a subnet in network zone A&amp;rdquo;) rather than &lt;em>how&lt;/em> to achieve it, with Kubernetes operators dynamically assembling configurations at runtime.&lt;/li>
&lt;li>&lt;strong>Automated CD&lt;/strong> — High level of automation for telco deployment rollouts. This includes rethinking Change Processes as well as building solid CI/CD/CT pipelines to ensure a highly reliable network.&lt;/li>
&lt;li>&lt;strong>In-Band with Kubernetes&lt;/strong> — Bring all automation in-band with the Kubernetes API, eliminating out-of-band tools like Jenkins pipelines and Ansible playbooks. This ensures that the Kubernetes orchestrator has full visibility and control over all resources, enabling self-healing and reconciliation.&lt;/li>
&lt;li>&lt;strong>Cloud Native DNS Service&lt;/strong> — Operate a highly reliable, geo-redundant, on-premises DNS service for the 5G core using open-source technologies (CoreDNS, PowerDNS, ExternalDNS), fully automated via GitOps and Kubernetes Custom Resources.&lt;/li>
&lt;li>&lt;strong>Contribute to the Ecosystem and Shape the Industry Discussion&lt;/strong> — Open-source key components built or contributed to during this journey (NetBox Operator, SDC, demo code) to enable other organizations to adopt similar patterns. Contribute to Meetups and Conferences in order to achieve broader success of Cloud Native adoption in the Telco Community.&lt;/li>
&lt;/ol>
&lt;h3 id="architecture-overview">Architecture overview&lt;/h3>
&lt;p>The platform is organized in three layers:&lt;/p>
&lt;p>&lt;img src="./images/swisscom-cloud-native-telco-automation-layers.svg" alt="Cloud Native Telco Automation Layers">&lt;/p>
&lt;p>The &lt;strong>Intent Layer&lt;/strong> stores high-level desired state in Git — engineers define &lt;em>what&lt;/em> they want using concise Custom Resources (e.g., a DNN configuration with hostname, region, and SNSSAI).&lt;/p>
&lt;p>The &lt;strong>Automation Layer&lt;/strong> runs on Kubernetes and continuously reconciles. Flux pulls intents from Git. Custom operators dynamically assemble full configurations by fetching IP addresses from NetBox (via the NetBox Operator) and creating connectivity in a Network-as-a-Service platform. It then pushes the KRM formatted Runtime Configuration to a Git repository for the Runtime layer to consume.&lt;/p>
&lt;p>The &lt;strong>Runtime Layer&lt;/strong> hosts the 5G core CNFs and supporting services. Flux pulls intents from Git. SDC pushes the assembled configuration to CNFs via NETCONF/gNMI. MetalLB, cert-manager, External Secrets Operator, ExternalDNS are used to configure the Workload cluster.&lt;/p>
&lt;p>&lt;img src="./images/swisscom-cloud-native-telco-automation-architecture-overview.svg" alt="Cloud Native Telco Automation Architecture Overview">&lt;/p>
&lt;h3 id="key-design-principles">Key Design Principles&lt;/h3>
&lt;ul>
&lt;li>&lt;strong>GitOps + KRM&lt;/strong>: Git stores high-level intents; Kubernetes manages dynamic, low-level configuration assembly. This is a shared source of truth across Git and Kubernetes.&lt;/li>
&lt;li>&lt;strong>Continuous Reconciliation&lt;/strong>: Every aspect of the system is continuously reconciled against the desired state — following the four OpenGitOps principles.&lt;/li>
&lt;li>&lt;strong>Abstraction over Complexity&lt;/strong>: Engineers work with simple, high-level intents; operators handle the complex assembly.&lt;/li>
&lt;/ul>
&lt;h2 id="can-you-expand-on-why-you-are-using-those-projectsservices">Can you expand on why you are using those projects/services?&lt;/h2>
&lt;h3 id="from-gitops-to-krm">From GitOps to KRM&lt;/h3>
&lt;p>Standard GitOps tools (Flux, Argo CD) combined with Helm/Kustomize have limitations for complex telco use cases: they cannot use live Kubernetes resources as inputs during rendering, cannot invoke custom business logic during template processing, and cannot dynamically assemble configurations from multiple sources. By extending GitOps with the Kubernetes Resource Model (KRM) — Custom Resource Definitions, Custom Resources, and custom Operators — the platform achieves dynamic configuration assembly at runtime.&lt;/p>
&lt;h3 id="configuration-abstraction--dynamic-assembly">Configuration Abstraction &amp;amp; Dynamic Assembly&lt;/h3>
&lt;p>A typical 5G core configuration includes IP addresses, VLAN IDs, DNS records, NF variables, secret references, and certificate references. Previously, engineers had to know all values upfront and embed them statically. The new intent-based model inverts this. The following is an example of a DNN configuration in pseudo-yaml-code.&lt;/p>
&lt;p>On the intent layer, only a very stripped-down KRM manifest exists:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-yaml" data-lang="yaml">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#204a87;font-weight:bold">apiVersion&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#000">telco.swisscom.com/v1&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline">&lt;/span>&lt;span style="color:#204a87;font-weight:bold">kind&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#000">Dnn&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline">&lt;/span>&lt;span style="color:#204a87;font-weight:bold">spec&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">hostname&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#4e9a06">&amp;#34;gprs.swisscom.com&amp;#34;&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">ipv4&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">true&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">region&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#000">ch-east&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">type&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#000">MobileInternet&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">snssai&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#000;font-weight:bold">[&lt;/span>&lt;span style="color:#0000cf;font-weight:bold">1&lt;/span>&lt;span style="color:#000;font-weight:bold">,&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#0000cf;font-weight:bold">10&lt;/span>&lt;span style="color:#000;font-weight:bold">]&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>This KRM manifest is stored in git and synced to the Management cluster using Flux. From this, the Operators in the automation layer create intermediate resources, in this case an IP Address via NetBox:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-yaml" data-lang="yaml">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#204a87;font-weight:bold">apiVersion&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#000">netbox.dev/v1&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline">&lt;/span>&lt;span style="color:#204a87;font-weight:bold">kind&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#000">IpAddressClaim&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline">&lt;/span>&lt;span style="color:#204a87;font-weight:bold">spec&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">parentPrefixSelector&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">region&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#4e9a06">&amp;#34;ch-east&amp;#34;&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#8f5902;font-style:italic"># from Dnn.spec.region&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">family&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#4e9a06">&amp;#34;IPv4&amp;#34;&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#8f5902;font-style:italic"># from Dnn.spec.ipv4&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline">&lt;/span>&lt;span style="color:#204a87;font-weight:bold">status&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">ipAddress&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#0000cf;font-weight:bold">1.2.3.4&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>The Automation Layer creates the following low level resources for the Runtime Layer:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">&lt;code class="language-yaml" data-lang="yaml">&lt;span style="display:flex;">&lt;span>&lt;span style="color:#204a87;font-weight:bold">apiVersion&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#000">config.sdcio.dev/v1alpha1&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline">&lt;/span>&lt;span style="color:#204a87;font-weight:bold">kind&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#000">Config&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline">&lt;/span>&lt;span style="color:#204a87;font-weight:bold">metadata&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">labels&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">config.sdcio.dev/targetName&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#000">ch-east &lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#8f5902;font-style:italic"># from Dnn.spec.region&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">config.sdcio.dev/targetNamespace&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#000">default&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline">&lt;/span>&lt;span style="color:#204a87;font-weight:bold">spec&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">priority&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#0000cf;font-weight:bold">10&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">config&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>- &lt;span style="color:#204a87;font-weight:bold">path&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#000">/&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">value&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">dnn&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>- &lt;span style="color:#204a87;font-weight:bold">name&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#4e9a06">&amp;#34;gprs.swisscom.com&amp;#34;&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#8f5902;font-style:italic"># from Dnn.spec.hostname&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">ip&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#0000cf;font-weight:bold">1.2.3.4&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#8f5902;font-style:italic"># from IpAddressClaim.status.ipAddress&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">snssai&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#000;font-weight:bold">[&lt;/span>&lt;span style="color:#0000cf;font-weight:bold">1&lt;/span>&lt;span style="color:#000;font-weight:bold">,&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#0000cf;font-weight:bold">10&lt;/span>&lt;span style="color:#000;font-weight:bold">]&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#8f5902;font-style:italic"># from Dnn.spec.snssai&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">type&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#000">MobileInternet &lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#8f5902;font-style:italic"># from Dnn.spec.type&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline">&lt;/span>&lt;span style="color:#000">---&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline">&lt;/span>&lt;span style="color:#204a87;font-weight:bold">apiVersion&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#000">externaldns.k8s.io/v1alpha1&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline">&lt;/span>&lt;span style="color:#204a87;font-weight:bold">kind&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#000">DNSEndpoint&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline">&lt;/span>&lt;span style="color:#204a87;font-weight:bold">spec&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">endpoints&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>- &lt;span style="color:#204a87;font-weight:bold">dnsName&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#4e9a06">&amp;#34;gprs.swisscom.com&amp;#34;&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#8f5902;font-style:italic"># from Dnn.spec.hostname&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">recordType&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#000">A&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#204a87;font-weight:bold">targets&lt;/span>&lt;span style="color:#000;font-weight:bold">:&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;span style="display:flex;">&lt;span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>- &lt;span style="color:#0000cf;font-weight:bold">1.2.3.4&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline"> &lt;/span>&lt;span style="color:#8f5902;font-style:italic"># from IpAddressClaim.status.ipAddress&lt;/span>&lt;span style="color:#f8f8f8;text-decoration:underline">
&lt;/span>&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>SDC will now sync the configuration to the 5G CNF and ExternalDNS will create the DNS records in the authoritative PowerDNS backend.&lt;/p>
&lt;h2 id="what-has-worked-well">What has worked well?&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Intent-based configuration&lt;/strong> dramatically reduced the complexity engineers face. Instead of managing thousands of interdependent parameters, they work with concise Custom Resources.&lt;/li>
&lt;li>&lt;strong>Full GitOps reconciliation&lt;/strong> across all layers (deployment, configuration, DNS, certificates, IPAM), configuration drift is detected and reverted to ensure consistency.&lt;/li>
&lt;li>&lt;strong>Custom Kubernetes Operators&lt;/strong> (built with Kubebuilder/controller-runtime) proved to be the right pattern for telco domain-specific concerns, providing full reconciliation support and native KRM integration.&lt;/li>
&lt;li>&lt;strong>The claim model for IPAM&lt;/strong> (NetBox Operator) elegantly solved dynamic IP allocation by following established Kubernetes patterns (PVC analogy).&lt;/li>
&lt;li>&lt;strong>Bringing all automation in-band with Kubernetes&lt;/strong> gave the orchestrator full visibility and control, enabling self-healing and eliminating the brittleness of out-of-band tools.&lt;/li>
&lt;li>&lt;strong>DNS resilience engineering&lt;/strong> — dedicated hackathons, chaos testing, and disaster recovery playbooks significantly improved DNS service reliability.&lt;/li>
&lt;li>&lt;strong>Cross-team collaboration&lt;/strong> on a shared platform and KRM patterns accelerated adoption across multiple network domains.&lt;/li>
&lt;/ul>
&lt;h2 id="what-has-not-worked-well">What has not worked well?&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>NETCONF as a configuration protocol&lt;/strong> introduces complexity — it requires SDC as an intermediary and prevents fully Kubernetes-native configuration. Ideally, CNF vendors would support native K8s APIs using CRs/CRDs or Secrets/ConfigMaps.&lt;/li>
&lt;li>&lt;strong>Tooling gap for KRM-based configuration assembly&lt;/strong> — no mature, community-standard Kubernetes-native tool exists for dynamic configuration hydration. Swisscom had to build custom operators to fill this gap.&lt;/li>
&lt;li>&lt;strong>GitOps+KRM auditability trade-off&lt;/strong> — with dynamically assembled configurations, not all state is visible in Git history. The team continues to explore automated intermediary Git layers.&lt;/li>
&lt;li>&lt;strong>Cumbersome vendor configuration manifests&lt;/strong> — large, monolithic configuration files from CNF vendors (with ~5,000 interdependent parameters) required significant effort to decompose into intent-based abstractions.&lt;/li>
&lt;li>&lt;strong>Telco’s imperative model and Kubernetes’ declarative approach do not align well&lt;/strong> - SDC follows the declarative paradigm, where users define the desired state and SDC determines the actions to achieve it. In contrast, NETCONF/gNMI use an imperative model that requires explicit ordered steps (“do A, then B, then C”). Translating declarative goals into imperative sequences is complex when user‑defined ordering matters, such as for firewall rules where evaluation order affects behaviour. Example: &lt;a href="https://github.com/sdcio/data-server/issues/394">Issue &amp;ldquo;Support user sorted lists&amp;rdquo;&lt;/a>&lt;/li>
&lt;/ul>
&lt;h2 id="what-sort-of-glue-have-you-had-to-develop">What sort of &amp;ldquo;glue&amp;rdquo; have you had to develop?&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Custom Kubernetes Operators&lt;/strong> — domain-specific operators for CNF configuration abstraction, config synchronization, IPAM integration, and DNS automation, all scaffolded with Kubebuilder and controller-runtime.&lt;/li>
&lt;li>&lt;strong>Configuration hydration logic&lt;/strong> — the CNF Config Operator dynamically assembles full configurations from multiple sources (NetBox, Vault, cluster environment) based on high-level intents.&lt;/li>
&lt;li>&lt;strong>SDC contributions&lt;/strong> — &lt;a href="https://github.com/search?q=org%3Asdcio+author%3Aalexandernorth&amp;amp;type=pullrequests">significant development work on SDC&lt;/a> including early testing of CNF compatibility, configuration validation, monitoring, config blame, drift detection, and NETCONF Actions support.&lt;/li>
&lt;li>&lt;strong>ExternalDNS NAPTR support&lt;/strong> — contributed &lt;a href="https://github.com/kubernetes-sigs/external-dns/pull/4212">PR #4212&lt;/a> to enable NAPTR record support for SIP phone calls.&lt;/li>
&lt;li>&lt;strong>Resilient DNS architecture&lt;/strong> — created a reference architecture and open sourced on &lt;a href="https://github.com/swisscom/cloud-native-telco/tree/main/prototypes/dns">GitHub&lt;/a>.&lt;/li>
&lt;li>&lt;strong>Headlamp plugins&lt;/strong> — &lt;a href="https://github.com/kubernetes-sigs/headlamp/pulls?q=is%3Apr+author%3Afaebr+">Custom Resource plugin&lt;/a>.&lt;/li>
&lt;/ul>
&lt;h2 id="how-did-the-architecture-evolve">How did the Architecture Evolve&lt;/h2>
&lt;h3 id="journey">Journey&lt;/h3>
&lt;p>The architecture evolved significantly from traditional imperative automation to the current declarative, KRM-based model:&lt;/p>
&lt;ol>
&lt;li>&lt;strong>Phase 1 — Ansible + Jenkins&lt;/strong>: Initial automation used Ansible playbooks triggered by Jenkins pipelines. Configuration was fire-and-forget with no continuous reconciliation.&lt;/li>
&lt;li>&lt;strong>Phase 2 — GitOps for deployment&lt;/strong>: Introduced Flux for CNF deployment, but configuration remained out-of-band via Ansible/NETCONF.&lt;/li>
&lt;li>&lt;strong>Phase 3 — Full GitOps + KRM&lt;/strong>: Extended GitOps to cover configuration, DNS, IPAM, certificates, and testing. Built custom operators and adopted SDC for config synchronization. Achieved continuous reconciliation across all layers.&lt;/li>
&lt;/ol>
&lt;h3 id="key-lessons">Key lessons&lt;/h3>
&lt;ul>
&lt;li>&lt;strong>De facto GitOps for operators is not true GitOps&lt;/strong> — creating Helm releases in Git while configuring NFs via NETCONF out-of-band breaks the GitOps model. Bringing configuration into the Kubernetes API was essential.&lt;/li>
&lt;li>&lt;strong>Bringing everything in-band with Kubernetes&lt;/strong> enables self-healing, reconciliation, and eliminates the brittleness of out-of-band tools.&lt;/li>
&lt;li>&lt;strong>Git as the &lt;em>only&lt;/em> source of truth is insufficient&lt;/strong> — the shared source of truth model (Git for intents, Kubernetes for dynamic state) was a deliberate and necessary evolution.&lt;/li>
&lt;li>&lt;strong>Abstraction is critical&lt;/strong> — engineers cannot effectively manage 5,000+ parameters directly. Intent-based CRs with dynamic assembly significantly reduced cognitive load and errors.&lt;/li>
&lt;li>&lt;strong>Custom Kubernetes Operators&lt;/strong> are the right pattern for domain-specific concerns that existing tools cannot address.&lt;/li>
&lt;li>&lt;strong>Contribute upstream&lt;/strong> — local patches create long-term maintenance burden. Swisscom prioritizes upstream contributions (ExternalDNS, SDC, NetBox Operator) for sustainability.&lt;/li>
&lt;/ul>
&lt;h3 id="whats-next-for-your-architecture">What&amp;rsquo;s next for your architecture?&lt;/h3>
&lt;ul>
&lt;li>&lt;strong>Mature SDC Integration&lt;/strong> — Continue expanding SDC for full lifecycle management with continuous reconciliation via gNMI and NETCONF, including completion of NETCONF Actions support.&lt;/li>
&lt;li>&lt;strong>Eliminate NETCONF Dependency&lt;/strong> — Work with CNF vendors to move toward fully Kubernetes-native configuration APIs, reducing reliance on legacy telco protocols.&lt;/li>
&lt;li>&lt;strong>Advanced Dynamic Configuration Assembly&lt;/strong> — Develop more sophisticated Kubernetes operators for multi-source configuration hydration, enabling even more complex intent-based workflows across multiple network domains.&lt;/li>
&lt;li>&lt;strong>Multi-Cluster &amp;amp; Edge Expansion&lt;/strong> — Scale the architecture to additional edge locations and Kubernetes clusters while maintaining consistent GitOps-driven automation.&lt;/li>
&lt;li>&lt;strong>Community Tooling for KRM&lt;/strong> — Contribute toward a mature, Kubernetes-native tool for dynamic configuration assembly that the wider cloud native community can adopt, addressing the current gap in tooling identified during the project.&lt;/li>
&lt;li>&lt;strong>Resilience &amp;amp; Reliability&lt;/strong> — Ongoing improvements to cross-cluster redundancy, disaster recovery playbooks, chaos testing framework, and enhanced monitoring/alerting.&lt;/li>
&lt;li>&lt;strong>Observability &amp;amp; AIOps&lt;/strong> — Integrate AI-driven operations capabilities leveraging the rich telemetry data from the platform&amp;rsquo;s monitoring stack.&lt;/li>
&lt;li>&lt;strong>Cross-Domain Expansion&lt;/strong> — Extend the orchestration framework to additional network domains and infrastructure services beyond the 5G core, applying the same intent-based automation patterns consistently.&lt;/li>
&lt;/ul>
&lt;h2 id="community-contributions">Community Contributions&lt;/h2>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Contribution&lt;/th>
&lt;th>Details&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;strong>NetBox Operator&lt;/strong>&lt;/td>
&lt;td>Open-sourced under &lt;a href="https://github.com/netbox-community/netbox-operator">https://github.com/netbox-community/netbox-operator&lt;/a>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>SDC Contributions&lt;/strong>&lt;/td>
&lt;td>Active contributor to the &lt;a href="https://docs.sdcio.dev/">SDC project&lt;/a> (on its path to CNCF incubation)&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>KRM Demo Code&lt;/strong>&lt;/td>
&lt;td>&lt;a href="https://github.com/swisscom/containerdays-2024-krm">https://github.com/swisscom/containerdays-2024-krm&lt;/a>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>Conference Talks&lt;/strong>&lt;/td>
&lt;td>&lt;a href="https://github.com/swisscom/cloud-native-telco/">KubeCon EU, ContainerDays, Open Source Summit EU&lt;/a>&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>CNCF/LFN Whitepaper&lt;/strong>&lt;/td>
&lt;td>Co-authored &lt;a href="https://github.com/lfn-cnti/bestpractices/blob/main/doc/whitepaper/Accelerating_Cloud_Native_in_Telco.md">Accelerating Cloud Native in Telco&lt;/a>&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;h2 id="discussion">Discussion&lt;/h2>
&lt;p>End user members may participate in the &lt;a href="https://github.com/cncf/tab/discussions/136">discussion thread&lt;/a> for this architecture.&lt;/p></description></item><item><title>Architectures: A Cloud Native Scientific Computing Platform for CERN NextGen AI</title><link>https://deploy-preview-36--cncfarchitecture.netlify.app/architectures/cern-scientific-computing/</link><pubDate>Mon, 09 Mar 2026 00:00:00 +0000</pubDate><guid>https://deploy-preview-36--cncfarchitecture.netlify.app/architectures/cern-scientific-computing/</guid><description>
&lt;h2 id="relevant-projects">Relevant Projects&lt;/h2>
&lt;div class="row row-cols-1 row-cols-md-3 mb-4">
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Argo
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/argo/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/argo/icon/color/argo-icon-color.svg" alt="argo logo">&lt;/a>&lt;/p>
&lt;p>ArgoCD is used to manage deployments of all services across multiple clusters and environments. Argo Workflows is used to manage multiple day-2 cluster operations.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Bootc
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/bootc/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/bootc/icon/color/bootc-icon-color.svg" alt="bootc logo">&lt;/a>&lt;/p>
&lt;p>Bootc provides transactional, in-place operating system images and updates using OCI/Docker container images. Bootc is used to build the minimal base images for our cluster nodes.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
ContainerSSH
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/containerssh/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/containerssh/icon/containerssh-icon-dark.svg" alt="containerssh logo">&lt;/a>&lt;/p>
&lt;p>ContainerSSH offers a SSH frontend to containers/pods running on Kubernetes clusters. Used to expose SSH as a way to access existing sessions in the cluster, with multiple authentication mechanisms offered (Kerberos, OIDC/OAuth2).&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Longhorn
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/longhorn/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/longhorn/icon/color/longhorn-icon-color.svg" alt="longhorn logo">&lt;/a>&lt;/p>
&lt;p>Longhorn offers cloud native distributed block storage for Kubernetes. Used to offer in-cluster shared storage to users, with individual and team getting dedicated volumes with read-write-multi access and automated backups.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Kubernetes
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/kubernetes/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/kubernetes/icon/color/kubernetes-icon-color.svg" alt="kubernetes logo">&lt;/a>&lt;/p>
&lt;p>Kubernetes provides the required workload scheduling and orchestration for the diverse workloads running in our scientific platform.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Kubeflow
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/kubeflow/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/kubeflow/icon/color/kubeflow-icon.svg" alt="kubeflow logo">&lt;/a>&lt;/p>
&lt;p>Kubeflow offers tools to manage the complete MLOps lifecycle. Used for profile management and quotas for users and teams, instantiation of notebook servers, pipelines for common and reusable tasks, hyper-parameter tuning with Katib and managing inference endpoints.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Kserve
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/kserve/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/kserve/icon/color/k-serve-icon-color.svg" alt="kubeflow logo">&lt;/a>&lt;/p>
&lt;p>Kserve standardizes hosting of inference endpoints. Used to encapsulate multiple runtime flavors, such as ONNX, Triton and several others, and offering a declarative way to define inference servers.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Kyverno
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/kyverno/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/kyverno/icon/color/kyverno-icon-color.svg" alt="kyverno logo">&lt;/a>&lt;/p>
&lt;p>Kyverno offers policy as code with support for YAML and CEL based policies. Used as a key component for policy enforcement and mutating workloads according to those policies, adding required settings to expose storage systems, set resources based on GPUs, etc.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Kueue
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://kueue.sigs.k8s.io/">&lt;img src="https://raw.githubusercontent.com/kubernetes-sigs/kueue/main/site/static/images/logo.svg" alt="kueue logo">&lt;/a>&lt;/p>
&lt;p>Kueue is a kubernetes-native system offering advanced scheduling capabilities and quota management. Used to provide job queues and quotas, gang scheduling, fair sharing, among other capabilities.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Prometheus
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/prometheus/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/prometheus/icon/color/prometheus-icon-color.svg" alt="prometheus logo">&lt;/a>&lt;/p>
&lt;p>Prometheus gathers the metrics and insights from all components in the cluster. Used for system and service metrics as well as providing individual workload performance insights on cpu, memory, power and other areas.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
stargz-snapshotter
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://github.com/containerd/stargz-snapshotter">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/containerd/icon/color/containerd-icon-color.svg" alt="containerd logo">&lt;/a>&lt;/p>
&lt;p>stargz-snapshotter provides lazy pulling of container images. Used to handle efficient job start and execution with image sizes of over 100GB in some cases.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;p>Some additional projects outside the CNCF are essential to this deployment.&lt;/p>
&lt;ul>
&lt;li>&lt;a href="https://mlflow.org/">MLFlow&lt;/a>, a project under the Linux Foundation used for model management and versioning&lt;/li>
&lt;li>&lt;a href="https://github.com/NVIDIA/gpu-operator">Nvidia GPU operator&lt;/a> to setup and manage drivers and configurations for Nvidia GPUs&lt;/li>
&lt;li>&lt;a href="https://github.com/ROCm/gpu-operator">AMD GPU operator&lt;/a> to setup and manage drivers and configurations for AMD GPUs&lt;/li>
&lt;/ul>
&lt;h2 id="tldr-synopsis">TLDR; Synopsis&lt;/h2>
&lt;p>This reference architecture describes a deployment supporting multiple teams in CERN’s new flagship “&lt;a href="https://nextgentriggers.web.cern.ch/">Next Generation Triggers&lt;/a>” project, looking at innovative computing technologies for data acquisition and processing for the High-Luminosity Large Hadron Collider and beyond.&lt;/p>
&lt;p>The cluster and platform target:&lt;/p>
&lt;ul>
&lt;li>Multiple scientific use cases, covering &lt;strong>traditional numerical computing&lt;/strong> as well as &lt;strong>machine learning workloads&lt;/strong> across the different CERN experiments. Scientific computing and in particular high performance computing (HPC) have relied on cloud native tooling for parts of their workloads for several years, but relied on tools like SLURM for advanced scheduling capabilities. This is our first production deployment to offer the full stack based only on cloud native infrastructure&lt;/li>
&lt;li>Access to both accelerators (in particular &lt;strong>GPUs&lt;/strong>) as well as specialized nodes such as &lt;strong>high CPU core count&lt;/strong> and &lt;strong>high CPU clock frequency&lt;/strong>. In an earlier stage of experimentation also &lt;strong>FPGAs&lt;/strong> are being integrated targeting fast inference in the CERN experiment online filters&lt;/li>
&lt;li>In a shared pool of resources allow &lt;strong>interactive access (including SSH, VSCode, Notebooks and just kubectl), traditional batch, MPI and training workloads and inference&lt;/strong>&lt;/li>
&lt;li>Integration with the existing infrastructure at CERN for CI / CD systems (on-premises GitLab and GitHub), identity, and efficient access to multiple storage systems for both user and physics data&lt;/li>
&lt;/ul>
&lt;p>A pure cloud native based infrastructure can now successfully serve scientific computing workloads, with advanced scheduling features such as co-scheduling, fair sharing, among others.&lt;/p>
&lt;h2 id="use-cases--requirements">Use Cases &amp;amp; Requirements&lt;/h2>
&lt;p>A set of requirements and use cases was initially defined when designing the architecture. The figure below shows how a shared pool of resources, mostly on-premises but integrating public cloud and supercomputing centers, should be accessed from different services.&lt;/p>
&lt;p>&lt;img src="images/use-cases.png" alt="Use Cases and Resources">&lt;/p>
&lt;p>Below we highlight specific requirements in terms of hardware and user facing functionality.&lt;/p>
&lt;h3 id="hardware">Hardware&lt;/h3>
&lt;ul>
&lt;li>Support for an &lt;strong>heterogeneous set of resources&lt;/strong>: multiple CPU types, GPUs from multiple vendors, FPGAs and specialized accelerators, all in a shared pool of resources&lt;/li>
&lt;li>Integration with &lt;strong>multiple network interconnects&lt;/strong> targeting low latency, including at least Infiniband and RDMA over Converged Ethernet (RoCEv2)&lt;/li>
&lt;li>A &lt;strong>hybrid deployment&lt;/strong> integrating external resources, both from public cloud providers and supercomputing centers&lt;/li>
&lt;/ul>
&lt;h3 id="user-facing">User Facing&lt;/h3>
&lt;ul>
&lt;li>&lt;strong>Curated environments&lt;/strong> based on container images and maintained by the platform team for the most common user setups, covering ML workloads but also traditional scientific computing. Particularly important has been ensuring these environments are compatible with the existing ways of working, with session environments setup with backwards compatibility for existing physicist tools and scripts&lt;/li>
&lt;li>Easily &lt;strong>customizable environments&lt;/strong>, either via dedicated environments maintained by user teams or the ability to install additional packages at runtime. This means users have sudo capabilities inside their sessions&lt;/li>
&lt;li>&lt;strong>Interactive access&lt;/strong> to sessions with the ability to choose the amount of GPUs at creation, and a corresponding CPU and memory allocation depending on the type of GPU selected. Once created, access available to the session via notebooks, local vscode instances and most importantly &lt;strong>SSH for compatibility&lt;/strong> with the existing ways of working&lt;/li>
&lt;li>&lt;strong>Batch access&lt;/strong> to resources, with support for advanced scheduling capabilities such as queues, quotas, co-scheduling, fair sharing. In addition to the high priority user submissions of training or MPI jobs, the system should be able to backfill unused resources with lower priority workloads to ensure high usage efficiency&lt;/li>
&lt;li>Support for the complete &lt;strong>machine learning lifecycle&lt;/strong>, including data preparation, training, hyper-parameter tuning and model inference. In particular, support, efficient integration and automation using common training and tuning frameworks&lt;/li>
&lt;li>&lt;strong>Model management and versioning&lt;/strong>, integrated with the rest of the platform with collection and storage of training metadata and logging&lt;/li>
&lt;/ul>
&lt;h2 id="architecture">Architecture&lt;/h2>
&lt;p>The diagram below shows how the different projects and tools match the requirements.&lt;/p>
&lt;p>&lt;img src="images/ngt-refarch.png" alt="">&lt;/p>
&lt;p>Areas of particular interest where effort was required include compute, scheduling, networking, storage and observability.&lt;/p>
&lt;h3 id="compute">Compute&lt;/h3>
&lt;p>&lt;strong>Proper isolation and reproducibility&lt;/strong> is essential for reliable performance and results, removing the effect of noisy neighbors and the latency between CPU and GPU. GPU nodes follow a NUMA-aware dual-socket layout, designed to preserve locality between CPU, memory, and accelerator resources. Each node has two CPU sockets, exposed as two NUMA nodes.&lt;/p>
&lt;p>&lt;img src="images/hwlayout.png" alt="">&lt;/p>
&lt;p>Depending on the node type, GPUs are distributed evenly across these NUMA domains: either 8 GPUs per node, with 4 GPUs attached to each NUMA node, or 4 GPUs per node, with 2 GPUs attached to each NUMA node.&lt;/p>
&lt;p>Some relevant configurations to ensure the desired reproducibility and isolation.&lt;/p>
&lt;p>&lt;em>CPU and memory resource allocations (requests and limits)&lt;/em> scale with the number of GPUs requested by a session: pods receive resources in proportion to the selected GPU count while remaining aligned with the corresponding NUMA locality. This minimizes cross-socket communication, reduces latency between CPU and GPU, and improves the consistency of performance-sensitive workloads&lt;/p>
&lt;p>&lt;em>Control CPU Management Policies on the Node&lt;/em>, as &lt;a href="https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/">documented here&lt;/a> with the following settings on the kubelet.&lt;/p>
&lt;ul>
&lt;li>&lt;code>cpu-manager-policy=static&lt;/code>&lt;/li>
&lt;li>&lt;code>cpu-manager-policy-options=full-pcpus-only=true&lt;/code>&lt;/li>
&lt;li>&lt;code>memory-manager-policy=Static&lt;/code>&lt;/li>
&lt;li>&lt;code>topology-manager-policy=restricted&lt;/code>&lt;/li>
&lt;/ul>
&lt;p>&lt;em>Reserved systems resources&lt;/em> for kubelet and other add-ons.&lt;/p>
&lt;ul>
&lt;li>&lt;code>system-reserved=cpu=2,memory=1000Mi&lt;/code>&lt;/li>
&lt;li>&lt;code>reserved-memory=0:memory=1000Mi&lt;/code>&lt;/li>
&lt;/ul>
&lt;p>&lt;strong>Efficient access and distribution of container images&lt;/strong>, to accelerate the start of sessions based on both curated and custom environments each being multiple 10s of GBs in size. We provide this with a custom daemonset pre-pulling all curated images in advance when published, as well as the ability to do image streaming with the stargz-snapshotter.&lt;/p>
&lt;p>&lt;strong>Capability to burst out to external resources,&lt;/strong> in particular public cloud providers and HPC resources.&lt;/p>
&lt;h3 id="scheduling">Scheduling&lt;/h3>
&lt;p>&lt;a href="https://kubernetes.io/docs/concepts/scheduling-eviction/resource-bin-packing/">&lt;strong>Bin packing&lt;/strong>&lt;/a> &lt;strong>in the scheduling profile&lt;/strong> instead of the default workload spread across nodes, with strategy &lt;code>MostAllocated&lt;/code> ensuring better availability for workloads requiring full nodes.&lt;/p>
&lt;p>&lt;strong>Advanced scheduling features&lt;/strong> for queues supporting different resource types and QoS, workload co-scheduling, quotas and fair sharing to optimize overall resource utilization.&lt;br>
Kueue is the main component being used to achieve the advanced scheduling functionality we need.&lt;/p>
&lt;h3 id="networking">Networking&lt;/h3>
&lt;p>&lt;strong>Low latency networking&lt;/strong> such as Infiniband and RDMA over Converged Ethernet (RoCEv2) supporting both traditional CPU and GPU MPI workloads. Currently done by enabling hostNetwork and exposing the corresponding PCI devices for these specific use cases. Driver and lifecycle management of IB/RoCEv2 networking resources is controlled using the Nvidia network operator.&lt;/p>
&lt;h3 id="storage">Storage&lt;/h3>
&lt;p>Users get different storage tiers which fit different usages.&lt;/p>
&lt;h4 id="node-local">Node local&lt;/h4>
&lt;p>Very high IOPS but limited space, typically on the low TBs available to all workloads on that node. Not useful for multi-node jobs requiring a shared filesystem. Used also for GPU Direct Storage (GDS) with local NVMEs.&lt;/p>
&lt;h4 id="cluster-local">Cluster local&lt;/h4>
&lt;p>Shared filesystem across all nodes in the cluster, deployed using Longhorn. Limiting the number of network hops as much as possible ensures reasonable IOPS and scales out well in space available with the number of nodes in the cluster (typically 10s of TBs per node). Connection through a single switch for higher performance, as much as possible. Volumes stored in this filesystem are backed up to S3 storage relying on the internal Longhorn backup functionality, with incremental points daily for a week and monthly.&lt;/p>
&lt;h4 id="central">Central&lt;/h4>
&lt;p>Shared filesystem outside the cluster with much higher storage space available. Managed using CEPH with different IOPS available, up to 2000 guaranteed with bursting to higher values.&lt;/p>
&lt;h3 id="observability">Observability&lt;/h3>
&lt;p>The stack provides visibility into hardware performance, resource efficiency, and environmental impact.&lt;/p>
&lt;h4 id="telemetry-collection">Telemetry Collection&lt;/h4>
&lt;p>Leveraging a multi-layered collection strategy integrated with the kube-prometheus-stack.&lt;/p>
&lt;p>&lt;strong>Accelerators&lt;/strong>: NVIDIA dcgm-exporter and AMD device-metrics-exporter provide deep-field GPU telemetry (utilization, memory, power, temperature, and frequency).&lt;/p>
&lt;p>&lt;strong>Power &amp;amp; Sustainability&lt;/strong>: IPMI and Kepler capture hardware-level power metrics. Kepler utilizes RAPL to attribute energy consumption to individual workloads.&lt;/p>
&lt;p>&lt;strong>System Metrics&lt;/strong>: Standardized node and container metrics are ingested via Prometheus for a unified view of the cluster.&lt;/p>
&lt;h4 id="visualization-and-analysis">Visualization and Analysis&lt;/h4>
&lt;p>Data is exposed via Grafana through three specialized dashboard tiers.&lt;/p>
&lt;p>&lt;strong>Cluster Overview&lt;/strong>: Tracks aggregate utilization (CPU, GPU, RAM, Network, Thermals) and node-level health. It highlights idle resources and historical trends to guide capacity planning.&lt;/p>
&lt;p>&lt;strong>User/Workload Analytics&lt;/strong>: Provides namespace-filtered views for individual developers to monitor their specific deployments. This view balances resource efficiency (allocated vs. actual usage) with performance profiling (GPU/CPU/RAM saturation) and power consumption, allowing users to independently debug bottlenecks and optimize job performance.&lt;/p>
&lt;p>&lt;strong>Sustainability Tracking&lt;/strong>: A dedicated dashboard for CO2-equivalent emissions, offering transparency into the carbon footprint at both the cluster and individual workload levels.&lt;/p>
&lt;h4 id="alerting-and-optimization">Alerting and Optimization&lt;/h4>
&lt;p>Alertmanager is configured to trigger notifications for idle resources. By monitoring the delta between allocated requests and actual utilization, the system identifies &amp;ldquo;zombie&amp;rdquo; workloads or over-provisioned namespaces, allowing for potential automated or manual resource reclamation to reduce costs and energy waste.&lt;/p>
&lt;h2 id="what-works-particularly-well">What works particularly well&lt;/h2>
&lt;p>&lt;strong>Workload isolation&lt;/strong> which is a key aspect when considering needs for reliable benchmarking results. Recent versions of Kubernetes have all the required capabilities to ensure NUMA affinity between CPUs and GPUs, resource pinning to individual workloads and reservation for system services and add-ons.&lt;/p>
&lt;p>&lt;strong>GPU setup, configuration and monitoring&lt;/strong> with well supported and up to date operators for both Nvidia and AMD GPUs and automation for metric collection on utilization, power, memory, etc. This includes the initial node configuration required with loading drivers and exposing them to the workloads, as well as day-2 operations such as driver upgrades with integration with the default methods for cordoning and draining nodes.&lt;/p>
&lt;p>&lt;strong>Kyverno for validation and mutation&lt;/strong> of cluster resources, allowing a policy based mutation of the resource capabilities based on labels available to users. This ranges from attaching volumes for access to external storage, setting environment variables such as home directories or authentication, automation of resources for cpu and memory and many others. Validation policies also include ensuring users do not attempt invalid NUMA allocations of CPUs and GPUs. Kyverno was chosen after the initial choice of the OPA Gatekeeper had limitations when modifying fields outside the matching location.&lt;/p>
&lt;h2 id="what-needs-improvement">What needs improvement&lt;/h2>
&lt;p>&lt;strong>GPU failure detection&lt;/strong> and integration with the scheduler, either by cordoning nodes or blocking access to faulty GPUs. Depending on the type of fault, the device plugins (for both Nvidia and AMD) may stop exposing faulty devices, but this is not reliable in all cases. Options such as &lt;a href="https://github.com/NVIDIA/NVSentinel">Nvidia Sentinel&lt;/a> are being evaluated.&lt;/p>
&lt;p>&lt;strong>GPU partitioning currently at node level&lt;/strong>, limiting the ability to have in the same node devices being exposed fully and others being partitioned using MIG. This is currently not supported by the GPU operators, but should be available in the future with the DRA drivers.&lt;/p>
&lt;p>&lt;strong>Scheduling workloads across multiple clusters&lt;/strong>, while possible, does not allow seamless access to logs or launching interactive sessions as done for single clusters - `kubectl log` and `kubectl exec` type of request. This is ongoing work in Kueue but currently limits the workloads submitted outside the main cluster to batch-like workloads.&lt;/p>
&lt;p>&lt;strong>Limited support for checkpoint and restore&lt;/strong> in several types of workloads, in particular the non machine-learning workloads. This limits the ability to push overall usage of the cluster further up by suspending / preempting idle sessions without losing any work. Efforts such as &lt;a href="https://criu.org/Kubernetes">criu&lt;/a> and the &lt;a href="https://kubernetes.io/blog/2026/01/21/introducing-checkpoint-restore-wg/">checkpoint-restore working group&lt;/a> promise to greatly advance the capabilities of the cloud native ecosystem in this area in an workload agnostic way.&lt;/p>
&lt;p>&lt;strong>Low latency networking&lt;/strong> with InfiniBand or RoCEv2 in our setup is currently not namespaced and exposed to the users through &lt;em>hostNetwork&lt;/em>. In case user workloads are not trusted, other options that provide better network-level isolation should be explored, including SR-IOV and via efforts such as &lt;a href="https://github.com/kubernetes-sigs/dranet">dranet&lt;/a>.&lt;/p>
&lt;h2 id="what-sort-of-glue-have-you-had-to-develop">What sort of &amp;ldquo;glue&amp;rdquo; have you had to develop?&lt;/h2>
&lt;p>A key goal of our architecture was ensure the complete functionality is available via cloud native APIs, easing the integration with all other tools in the ecosystem. The glue pieces below target ease of use.&lt;/p>
&lt;p>&lt;strong>Access via SSH&lt;/strong> was one of the main requests from our users, allowing backwards compatibility with years of custom scripts, continuous integration and several other &amp;ldquo;ways of working&amp;rdquo; that require this type of access. We invested internally in developing the required capabilities in the &lt;a href="https://containerssh.io/">containerssh&lt;/a> project, with management of multiple sessions, multiple authenticated methods (OAuth2, Kerberos, X509), among others.&lt;/p>
&lt;p>&lt;strong>Large number of mutating policies&lt;/strong>, allowing us to give a better experience to users that do not want to use &lt;code>kubectl&lt;/code> or write yaml. Relying on metadata labels in the different resources hides the complexity of setting up volume mounts, environment variables, etc. Our current policies include setting tolerations to assign workloads to specific node flavors, additional environment configurations for MPI workloads, injecting user metadata to access storage systems and interact with internal services, mounting multiple storage systems at CERN or enabling RDMA and GPU Direct Storage.&lt;/p>
&lt;h2 id="whats-next-for-your-architecture">What&amp;rsquo;s next for your architecture?&lt;/h2>
&lt;p>&lt;strong>Interactive session management&lt;/strong> via notebooks, relying on the Kubeflow Notebooks UI. As of today, users require a minimal yaml and usage of the &lt;code>kubectl&lt;/code> client to create, list and delete their interactive sessions, even if access is then available via ssh, notebooks, vscode, etc. An upcoming improvement is to offer a UI based interface to manage sessions, likely relying on the Kubeflow Notebook UI but applying to any type of workload.&lt;/p>
&lt;p>&lt;strong>DRA and automated partitioning&lt;/strong> in the cluster, as currently we still rely on the Nvidia and AMD operators to manage GPU resources for this particular setup and need to manually set the desired MIG configuration for each node/pool of nodes. This will allow us to have heterogeneous configurations in the same node (with both partitioned and non-partitioned devices) as well as, in the future when the DRA drivers get this functionality, automatic partitioning of devices based on the current workloads.&lt;/p>
&lt;p>&lt;strong>Bursting to HPC resources&lt;/strong>, as existing supercomputers and upcoming AI factories have a large number of available GPUs. The main requirement is to integrate with SLURM as an API to manage these remote resources, but in a way that is seamless to users of the service. Projects such as &lt;a href="https://github.com/interlink-hq">interLink&lt;/a> promise to hide the SLURM backends behind the Kubernetes APIs in our platform.&lt;/p>
&lt;h2 id="key-takeaways--lessons">Key Takeaways / Lessons&lt;/h2>
&lt;p>&lt;strong>Adapt to existing ways of working&lt;/strong>: the success of the platform depends on acceptance by users, who often will not have the time to change their ways of working. Anticipate where effort is needed to meet users where they&amp;rsquo;re at, building the required glue on top of your cloud native infrastructure.&lt;/p>
&lt;p>&lt;strong>Iterative and quick development&lt;/strong>: when exposing a new platform to users with so many stack changes from previous deployments, the ability to iterate very quickly taking into account user feedback is essential. This likely means planning for an intense period after first exposing the services, with the risk of loosing users from the start otherwise.&lt;/p>
&lt;p>&lt;strong>Upstream first&lt;/strong>: this is only way to ensure long term sustainability of a platform, exposing requirements and working together with the rest of the community. Local, temporary patches, when required, should be done in parallel with the upstream contributions.&lt;/p>
&lt;p>&lt;strong>Cloud native is ready for scientific computing and AI/ML&lt;/strong>: if there were doubts, this experience cleared them up. Cloud native enables the next generation of scientific computing and AI/ML platforms, with all the advanced requirements from high performance computing together with the integration with all modern tools that talk cloud native.&lt;/p>
&lt;h2 id="discussion">Discussion&lt;/h2>
&lt;p>End user members may participate in the &lt;a href="https://github.com/cncf/tab/discussions/137">discussion thread&lt;/a> for this architecture.&lt;/p></description></item><item><title>Architectures: A modern and sovereign Private Cloud «Kubernetes Service» for Swiss-based enterprises.</title><link>https://deploy-preview-36--cncfarchitecture.netlify.app/architectures/swisscom-kubernetes-service/</link><pubDate>Wed, 04 Mar 2026 00:00:00 +0000</pubDate><guid>https://deploy-preview-36--cncfarchitecture.netlify.app/architectures/swisscom-kubernetes-service/</guid><description>
&lt;h2 id="relevant-cncf-projects">Relevant CNCF projects&lt;/h2>
&lt;div class="row row-cols-1 row-cols-md-3 mb-4">
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Kubernetes
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/kubernetes/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/kubernetes/icon/color/kubernetes-icon-color.svg" alt="kubernetes logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2024&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> 1.32.8 (CNIP)&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> 1.31.x - 1.34.x (SKP)&lt;/li>
&lt;/ul>
&lt;p>Kubernetes enables high availability, scalability, and performance for infrastructure, offering a centralized and policy-driven platform to manage network and service data supporting Managed Kubernetes for our cloud customers.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
KubeVirt
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/kubevirt/">&lt;img src="https://github.com/cncf/artwork/raw/main/projects/kubevirt/horizontal/color/kubevirt-horizontal-color.svg" alt="kubevirt logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2024&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> v1.5.0 (CNIP)&lt;/li>
&lt;/ul>
&lt;p>Cluster resources are constructed using KubeVirt for virtual machine abstraction of Control Plane and Worker instances.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Kube-OVN
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/kube-ovn/">&lt;img src="https://github.com/cncf/artwork/raw/main/projects/kube-ovn/horizontal/color/kube-ovn-horizontal-color.svg" alt="kube-ovn logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2024&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> v1.13.14 (CNIP)&lt;/li>
&lt;/ul>
&lt;p>Kube-OVN is utilized as network stack of the infrastructure cluster to enable intra-cluster/east-west network communication of user clusters. It enables a policy-driven security model as well as customer network isolation using VPCs.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
MetalLB
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/metallb/">&lt;img src="https://github.com/cncf/artwork/raw/main/projects/metallb/horizontal/color/metallb-horizontal-color.svg" alt="metallb logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2024&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> v0.15.3&lt;/li>
&lt;/ul>
&lt;p>MetalLB is an integral component of the infrastructure deployment process, offering automated access to the framework that provisions individual user cluster resources on bare metal Kubernetes environments.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Container Storage Interface (CSI)
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://github.com/container-storage-interface">&lt;img src="https://github.com/cncf/artwork/raw/main/other/csi/horizontal/color/csi-horizontal-color.svg" alt="csi logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2024&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> v25.06.3 (trident-csi)&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> v0.4.5 (kubevirt-csi)&lt;/li>
&lt;/ul>
&lt;p>Kubevirt-CSI is the standard storage interface for persistent volumes in user clusters. Trident-CSI manages NetApp storage requests and can also be used directly to integrate with Swisscom&amp;rsquo;s File Service Kubernetes, which provides iSCSI and NFS shared storage across all Availability Zones.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Kyverno
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/kyverno/">&lt;img src="https://github.com/cncf/artwork/raw/main/projects/kyverno/horizontal/color/kyverno-horizontal-color.svg" alt="kyverno logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2024&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> v1.13.4 (CNIP)&lt;/li>
&lt;/ul>
&lt;p>Kyverno serves as the default policy engine for infrastructure and user clusters, providing robust security constraints.
In addition to Kyverno, also Chainsaw (a Kyverno sub-project) is used for automated, declarative e2e testing.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
ArgoCD
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/argo/">&lt;img src="https://github.com/cncf/artwork/raw/main/projects/argo/horizontal/color/argo-horizontal-color.svg" alt="argo logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2024&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> v3.2.0 (CNIP)&lt;/li>
&lt;/ul>
&lt;p>ArgoCD allows us to deliver comprehensive infrastructure using a fully automated GitOps methodology.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Helm
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/helm/">&lt;img src="https://github.com/cncf/artwork/raw/main/projects/helm/horizontal/color/helm-horizontal-color.svg" alt="helm logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2024&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> v3.5.1 (CNIP)&lt;/li>
&lt;/ul>
&lt;p>Helm automates the creation, packaging, configuration, and deployment of Kubernetes applications by creating reusable charts.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
CloudNativePG
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/cloudnativepg/">&lt;img src="https://landscape.cncf.io/logos/d795f87b2810954c88802c0b4bd6b3eee5a840c32cbee7276b25831cfb09e1cd.svg" alt="cnpg logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2024&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> v1.27.0 (CNIP)&lt;/li>
&lt;/ul>
&lt;p>CloudNativePG (CNPG) manages PostgreSQL databases in cloud-native environments. It handles the full lifecycle of highly available PostgreSQL clusters (primary/standby with native streaming replication), including declarative deployment, scaling, backups, self-healing, failover and monitoring.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;h2 id="describe-your-organisation">Describe your organisation&lt;/h2>
&lt;p>Swisscom is the leading ICT company in Switzerland and offers mobile, Internet and TV, as well as comprehensive IT and digital services to private and business customers.
Swisscom&amp;rsquo;s expertise in cloud native technologies is well-established, as evidenced by its status as a former Gold member and Management Board member of the Cloud Foundry Foundation, along with its certification for Cloud Foundry.
Additionally, Swisscom demonstrates a strong commitment to the Open-Source community, having been a CNCF Silver Member for several years and serving as a Kubernetes Certified Service Provider (KCSP) partner.
Our skilled employees have delivered numerous speeches and presentations at prestigious events such as KubeCon, Cloud Native Zürich, Swiss Cloud Native Day, KCD Suisse Romande, ContainerDays, among others.&lt;/p>
&lt;p>Our next generation Private Cloud Container as a Service offering «Kubernetes Service» for the B2B market addresses customer’s need for scalable and highly available Kubernetes workload as a flexible and secure IT foundation.
It is part of our Swiss-based Enterprise Service Cloud (ESC) market channel as a sovereign, Private Cloud Kubernetes offering for effortless provisioning and usage of our customer’s container workloads.&lt;/p>
&lt;h2 id="describe-your-entity-andor-team">Describe your entity and/or team&lt;/h2>
&lt;p>The development and delivery of the new «Kubernetes Service» is done at within Swisscom&amp;rsquo;s IT-Clouds Value Stream and shared across two teams:&lt;/p>
&lt;ul>
&lt;li>Pathfinders: responsible for the Cloud Native Infrastructure Platform (CNIP).
CNIP handles the creation, delivery, and lifecycle management of the KubeVirt-based virtual machines (VMs). These VMs function as nodes for both the Control Plane and Workers. The VMs are ephemeral and can be re-created immediately in case of any failure. They are solely used to enable container-based workloads and do not act as standalone VMs.&lt;/li>
&lt;li>Guardians: responsible for the Swisscom Kubernetes Platform (SKP), which runs on top of CNIP.
It consists of the installation of Kubermatic Kubernetes Platform (KKP) for the customer tenant (environment) and the setup and support of the highly available Control Plane for any customer (user) cluster.&lt;/li>
&lt;/ul>
&lt;p>The layered approach allows Swisscom to manage technological aspects distinctly by segregating the cloud native infrastructure (managed by the Pathfinders team) from the Kubernetes platform (managed by the Guardians team).
This strategy ensures considerable flexibility, permitting each layer to be combined or integrated with other technologies in the future.&lt;/p>
&lt;p>&lt;img src="./images/kubernetes-service-team-deliverables.png" alt="Kubernetes Service is a combination of CNIP &amp;amp; SKP deliverables">&lt;/p>
&lt;h2 id="brief-overview-of-your-architecture-and-any-potential-goals-you-are-trying-to-achieve-with-it">Brief overview of your architecture and any potential goals you are trying to achieve with it?&lt;/h2>
&lt;h3 id="summary">Summary&lt;/h3>
&lt;p>Kubernetes Service is the successor to our current container offering, representing a significant shift towards a more cloud-native approach using advanced Open-Source technology.
Currently bound to a vendor-specific implementation, Swisscom has opted to employ open-source tools for the development of cloud native products for customer use. This strategy aims to minimize dependencies and mitigate the risk of vendor lock-ins.&lt;/p>
&lt;p>By adopting this architecture, Swisscom can uphold quality within the cloud native domain while maintaining a competitive pricing model due to reduced reliance on external licensing and subscription models.
Furthermore, having the ability to develop, maintain, and operate all components internally enhances our decision-making processes and strengthens our roadmap capabilities.&lt;/p>
&lt;p>Another important point is that our customers&amp;rsquo; data will always remain within Switzerland and under Swiss law. Since we fully own the platform and do not rely on any external vendors, we can confidently guarantee true data sovereignty, hosted entirely on our premises without relying on vague marketing claims. Additionally, because Swisscom is not subject to the US Cloud Act or similar foreign regulations, no non-Swiss legislation can access the data.&lt;/p>
&lt;h3 id="brief-overview-of-architecture">Brief overview of architecture&lt;/h3>
&lt;p>A simplified high-level diagram describes Kubernetes Service, including multi-tenancy and security aspects:&lt;/p>
&lt;p>&lt;img src="./images/kubernetes-service-central-infra.png" alt="Central Kubernetes Infra Cluster is used to provide customer environments/tenants based on consolidated infrastructure">&lt;/p>
&lt;p>As illustrated in the figure, two separate and independent user tenants, BLUE and RED, are established on shared resources (depicted in yellow), managed by the Kubernetes Infrastructure Cluster. The foundation for all virtual abstractions is the Consolidated Infrastructure (COI) in Swisscom’s data centers.&lt;/p>
&lt;p>Each customer-specific environment comprises a management zone (MGMT Zone) and a workload zone.
These zones address shared responsibilities, where Swisscom provides the Control Plane for each customer&amp;rsquo;s environment (illustrated in blue and orange in the next figure).&lt;/p>
&lt;p>Customers have the flexibility to deploy workloads within the workload zone independently of the management resources as required.
Furthermore, each customer is able to maintain multiple environments. This provides an alternative method for segregating workloads at the tenant level instead of the Kubernetes cluster level, thereby ensuring comprehensive isolation from the outset.&lt;/p>
&lt;p>&lt;img src="./images/kubernetes-service-isolated-envs.png" alt="Each customer environment is isolated and comprises a management zone and workload zone">&lt;/p>
&lt;h3 id="goals-and-objectives">Goals and objectives&lt;/h3>
&lt;p>One of the primary objectives of the product refresh is to offer more desired features to customers.
Compared to the current offering, enhancements include:&lt;/p>
&lt;ul>
&lt;li>Upstream Kubernetes versions with faster updates&lt;/li>
&lt;li>Node Autoscaling&lt;/li>
&lt;li>Integrated Backup functionalities&lt;/li>
&lt;li>Native Kubernetes Load Balancer&lt;/li>
&lt;li>Modern customer self-service portal&lt;/li>
&lt;li>Additional Kubernetes add-ons available via Application Catalog&lt;/li>
&lt;/ul>
&lt;p>Moreover, additional options are directly available to our customers:&lt;/p>
&lt;ul>
&lt;li>Choose from different Container Network Interfaces (CNI)&lt;/li>
&lt;li>Access persistent storage through kubevirt-csi&lt;/li>
&lt;/ul>
&lt;p>With KubeVirt providing abstraction, KVM is employed as the hypervisor on bare-metal servers. From the customer&amp;rsquo;s perspective (Customer X), the administrator of their user cluster manages all selections and abstractions shown in the figure below, enabling customers to make independent decisions, e.g. choosing a default CNI from the available options (Cilium, Canal, None).&lt;/p>
&lt;p>&lt;img src="./images/kubernetes-service-ingredients.png" alt="Ingredients of Kubernetes Service and abstraction towards user/customer">&lt;/p>
&lt;p>In addition to technical improvements, we aimed to minimise reliance on external vendors and build a truly sovereign cloud solution that can compete with Public Cloud offerings, free from outside service dependencies. Our goal is for customers to run their Kubernetes workloads in our sovereign ESC Cloud, providing a comprehensive alternative to US hyperscalers - in terms of functionality and, most importantly, data privacy.&lt;/p>
&lt;h2 id="can-you-expand-on-why-you-are-using-those-projectsservices">Can you expand on why you are using those projects/services?&lt;/h2>
&lt;ul>
&lt;li>&lt;strong>Cloud-Native Implementation&lt;/strong>:
Utilized CNCF projects and technologies to deploy a comprehensive stack consistent with a microservices-based architecture, resulting in enhanced scalability and operational agility.&lt;/li>
&lt;li>&lt;strong>Kubernetes for Orchestration&lt;/strong>:
Adopted Kubernetes to manage containerized workloads, enabling automated deployment, scaling, and resilience on management as well as user cluster level.&lt;/li>
&lt;li>&lt;strong>Kube-OVN as network layer&lt;/strong>:
With Kube-OVN as CNI on the infrastructure clusters and it&amp;rsquo;s VPC functionality, it allows customer environments to be fully segregated on a shared platform, providing maximum flexibility and strong security enforcement. It enables the teams to use familiar cloud-native development, operations, and debugging tools and skills.&lt;/li>
&lt;li>&lt;strong>KubeVirt for VM abstraction&lt;/strong>:
A high-quality, Kubernetes-native virtual machine abstraction facilitates the deployment of container-based resources on a centralized cloud-native infrastructure platform, while maintaining flexibility for future use of VM resources.&lt;/li>
&lt;li>&lt;strong>Open-Source &amp;amp; Cost Efficiency&lt;/strong>:
CNCF components deliver vendor-neutral, cost-effective solutions that are fundamental to container orchestration and observability. These open-source tools form the foundation of our sovereign cloud initiative, empowering internal teams to design customized architectures independently of third-party vendors. Utilizing CNCF technologies allows us to maintain flexibility, scalability, and comprehensive control over our cloud infrastructure, supporting our strategic objectives of autonomy and innovation.&lt;/li>
&lt;li>&lt;strong>Declarative &amp;amp; Configuration-Driven Approach&lt;/strong>:
CNCF tools align with the low-code/no-code principle by enabling declarative configuration management.&lt;/li>
&lt;/ul>
&lt;h2 id="what-has-worked-well">What has worked well?&lt;/h2>
&lt;p>The implementation has eventually lead to the product launch of Kubernetes Service in August 2025, with some strong outcomes:&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Layered Architecture for Enhanced Robustness&lt;/strong>:
The integration of Cloud Native Infrastructure Platform (CNIP) and Swisscom Kubernetes Platform (SKP) forms the foundation of the new Kubernetes Service, enabling flexible handling as separate platform layers for streamlined future operations.&lt;/li>
&lt;li>&lt;strong>Vendor-Agnostic Production Platform&lt;/strong>:
By eliminating proprietary technology, a resilient and adaptable foundation has been established to host managed Kubernetes clusters within Swisscom&amp;rsquo;s Private Cloud, ensuring a high degree of flexibility and scalability, as well as privacy.&lt;/li>
&lt;li>&lt;strong>Modern Cloud-Native Foundation&lt;/strong>:
The implementation of Kubernetes to deliver managed Kubernetes clusters to end customers enables a unified cloud-native stack across all layers of responsibility, promoting consistency and efficiency.&lt;/li>
&lt;li>&lt;strong>Best Practice Design&lt;/strong>:
Collaborating with Kubermatic, a modern Kubernetes platform was designed, incorporating the latest technologies such as KubeVirt and Kube-OVN, to ensure an enterprise-ready solution for end customers.&lt;/li>
&lt;li>&lt;strong>Operational Excellence&lt;/strong>:
Equipping teams with essential cloud-native and Kubernetes expertise enhances the attractiveness of Swisscom&amp;rsquo;s tech stack to potential candidates and reinforces the company&amp;rsquo;s commitment to the Open-Source community.&lt;/li>
&lt;li>&lt;strong>Successful Internal Adoption&lt;/strong>:
The Kubernetes Service was successfully launched as Swisscom&amp;rsquo;s internal Container platform, achieving significant traction with over 60% of workloads migrated within the first 9 months of operation.&lt;/li>
&lt;/ul>
&lt;h2 id="what-has-not-worked-well">What has not worked well?&lt;/h2>
&lt;p>While the architecture delivered significant improvements, several challenges emerged during implementation:&lt;/p>
&lt;ul>
&lt;li>
&lt;p>&lt;strong>Enterprise-Readiness of Cloud Native Technologies&lt;/strong>:
Despite successful scaling in test and internal production environments, many advanced cloud-native technologies faced difficulties when deployed in enterprise-grade settings for end customers (e.g., B2B market). This highlighted the need for further refinement and testing in real-world scenarios.&lt;/p>
&lt;p>For KubeVirt, for instance, there are only limited real-world examples, best practices or reference designs available to draw upon for large-scale, production-grade business deployments. Switching fully to Kube-OVN as the main network layer also demands extra effort and is less straightforward than traditional network solutions with established production lifecycles.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Limited Support and Professional Services&lt;/strong>:
The availability of professional support, particularly 24/7, for open-source and cloud-native technologies is limited. This poses challenges for enterprises seeking to adopt these technologies and provide services with guaranteed service levels (SLAs).&lt;/p>
&lt;p>A possible solution is for more companies to provide professional support and make these services more transparent. Furthermore, the CNCF could introduce a &amp;ldquo;Certified Supporter&amp;rdquo; verification system to strengthen trust in firms that offer professional support.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Knowledge Gaps and Skills Requirements&lt;/strong>:
Adopting new technologies demands specialized knowledge and expertise. In-house engineers required additional training and support to effectively maintain and troubleshoot products built on these technologies.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>&lt;strong>Customer Acceptance and Migration Challenges&lt;/strong>:
Introducing a new platform based on modern technologies, without a proven track record in enterprise-grade deployments, required significant effort to educate customers, facilitate migration from legacy stacks, and promote the benefits of a sovereign cloud solution. This process demanded substantial resources and support to ensure a smooth transition.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;h2 id="what-sort-of-glue-have-you-had-to-develop-to-enable-usage-of-your-architecture-">What sort of “glue” have you had to develop to enable usage of your architecture ?&lt;/h2>
&lt;p>The reference architecture provides a strong foundation, making it practical and easy to use. The below elements were designed to simplify adoption, improve usability, and ensure seamless interaction across layers acting as the &amp;ldquo;glue&amp;rdquo;:&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Unified Abstraction APIs&lt;/strong>: Developed APIs (Open Service Broker spec) that hide complexity and provide a consistent interface for orchestration and other consuming Operational Support Systems (OSS).&lt;/li>
&lt;li>&lt;strong>Advanced Routing Functionality&lt;/strong>: In order to integrate the customer environments into the Swisscom Core Network (MPLS), we developed and implemented our own concept of edge routers using BGP on FRRouting pods. This custom solution supports NAT, Fail-over (VRRP) as well as north-south firewalling (traffic from/to customer environments). These router pods are managed by an operator and configured with custom resource definitions.&lt;/li>
&lt;li>&lt;strong>Policy Integration Layer&lt;/strong>: Built operators to dynamically apply and manage Kyverno policies across different stages without requiring deep technical intervention.&lt;/li>
&lt;li>&lt;strong>Firewall Management&lt;/strong>: Implemented operators and API endpoints to allow customers to manage firewall rules on the SDN layer of the KubeVirt infrastructure, via Kube-OVN network policies.&lt;/li>
&lt;li>&lt;strong>Workflow Orchestration Logic&lt;/strong>: Developed and implemented the entire platform orchestration logic and automated pipelines from bottom-up.&lt;/li>
&lt;li>&lt;strong>Commandline tooling&lt;/strong>: Various commandline tools for human operators to manage and control the entire platform and all parts of it with ease.&lt;/li>
&lt;li>&lt;strong>Testing &amp;amp; Fine-tuning&lt;/strong>: With limited experience in large-scale bare-metal Kubernetes deployments, we had to do a lot of testing, validation and fine-tuning. We had to make sure, that the platform scales properly with more workloads being migrated every day.&lt;/li>
&lt;/ul>
&lt;h2 id="has-your-architecture-evolved-what-lessons-have-you-learned-from-previous-iterations">Has your architecture evolved? What lessons have you learned from previous iterations?&lt;/h2>
&lt;p>Our architecture and product have undergone significant evolution through iterative development, driven by customer feedback and emerging requirements.&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Iterative Development Approach&lt;/strong>:
We began by establishing foundational layers and meeting the needs of our internal Swisscom customers. Subsequent iterations introduced advanced features for end customers, incorporating feedback from both internal and external stakeholders.&lt;/li>
&lt;li>&lt;strong>Continuous Improvement and Feedback Loop&lt;/strong>:
Each iteration allowed us to gather valuable insights and add new functionalities, refining our product and enhancing customer satisfaction.&lt;/li>
&lt;li>&lt;strong>Steep Learning Curve and Expertise Development&lt;/strong>:
As we ramped up the product, our teams faced a significant learning curve, developing essential expertise and professionalizing DevOps processes to ensure seamless operation.&lt;/li>
&lt;li>&lt;strong>Strategic Partnerships and Support&lt;/strong>:
Our collaboration with Kubermatic enabled us to leverage professional support for key components, including KubeVirt and Kube-OVN, ultimately maturing our production platform and solidifying its readiness for enterprise-grade deployments.&lt;/li>
&lt;/ul>
&lt;p>Through this iterative process, we&amp;rsquo;ve gained valuable lessons and refined our architecture to better meet the needs of our customers, while developing the expertise and partnerships necessary to drive continued success.&lt;/p>
&lt;h3 id="outcome">Outcome&lt;/h3>
&lt;p>By embracing open-source and cloud native technologies, Swisscom successfully created a sovereign cloud solution, modernizing its container offering while reducing vendor lock-in and providing advanced features to customers. The new «Kubernetes Service» demonstrates the power of cloud native architectures in creating flexible, scalable, and cost-effective solutions for enterprise-grade services, all while ensuring true data sovereignty and regulatory compliance. This approach positions Swisscom as a leader in sovereign cloud solutions, offering Swiss (and European) customers a trusted alternative to global hyperscalers.&lt;/p>
&lt;h2 id="whats-next-for-your-architecture-what-are-you-looking-to-do-next">What’s next for your architecture? What are you looking to do next?&lt;/h2>
&lt;p>Building on the success of our proven reference architecture, which now supports both internal and external customer workloads in production, we&amp;rsquo;re focused on expanding and enhancing our offerings:&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Hybrid Cloud Expansion and Multi-Cloud Flexibility&lt;/strong>:
We&amp;rsquo;re working to enable seamless public cloud deployments, complementing our existing Swiss-based data centers and strengthening hybrid cloud use cases.&lt;/li>
&lt;li>&lt;strong>Edge Cloud Support&lt;/strong>:
With cloud sovereignty in mind, we are developing a «Kubernetes Service On-Prem» extension that will deliver the Private Cloud product on a Cloud Edge Stack at customer premises, enabling an autonomous instance of our Kubernetes Service. This is currently in development with an interested customer.&lt;/li>
&lt;li>&lt;strong>GPU-Enabled Workloads and Emerging Technologies&lt;/strong>:
Next, we&amp;rsquo;ll be integrating GPU support and exploring other emerging technologies to unlock new possibilities for compute-intensive applications.&lt;/li>
&lt;li>&lt;strong>Customer-Driven Features and Enhancements&lt;/strong>:
We&amp;rsquo;re committed to delivering additional features and functionalities requested by our customers, further enriching our platform and services.&lt;/li>
&lt;li>&lt;strong>Simplified Onboarding and Resource Optimization&lt;/strong>:
To improve efficiency and resource utilization, we&amp;rsquo;ll be introducing a shared cluster concept, allowing for more flexible and efficient use of our bare-metal infrastructure.&lt;/li>
&lt;li>&lt;strong>Exploring New Use Cases - VM Workloads&lt;/strong>:
We&amp;rsquo;re also investigating the possibility of hosting classical VM workloads on our Cloud Native Infrastructure Platform (CNIP), expanding the platform&amp;rsquo;s use cases beyond container-based workloads and further increasing its versatility.&lt;/li>
&lt;/ul>
&lt;p>By pursuing these initiatives, we aim to continue delivering value to our customers, drive innovation, and grow our architecture and services to meet evolving needs.&lt;/p>
&lt;h2 id="discussion">Discussion&lt;/h2>
&lt;p>End user members may participate in the &lt;a href="https://github.com/cncf/tab/discussions/134">discussion thread&lt;/a> for this architecture.&lt;/p></description></item><item><title>Architectures: Enabling Allianz Direct's scaling through Platform Engineering</title><link>https://deploy-preview-36--cncfarchitecture.netlify.app/architectures/allianz/</link><pubDate>Mon, 28 Oct 2024 00:00:00 +0000</pubDate><guid>https://deploy-preview-36--cncfarchitecture.netlify.app/architectures/allianz/</guid><description>
&lt;h2 id="relevant-cncf-projects">Relevant CNCF projects&lt;/h2>
&lt;div class="row row-cols-1 row-cols-md-3 mb-4">
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Kubernetes
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/kubernetes/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/kubernetes/icon/color/kubernetes-icon-color.svg" alt="kubernetes logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2021&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> 1.29.6&lt;/li>
&lt;/ul>
&lt;p>Kubernetes has been the foundation for our Internal Developer Platform and almost all of Adobe&amp;rsquo;s containerized workloads run on Kubernetes clusters.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Helm
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/helm/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/helm/icon/color/helm-icon-color.svg" alt="helm logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2021&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> v3.12.3&lt;/li>
&lt;/ul>
&lt;p>Helm is our package manager and helps us abstract out some of the complexity by including them as dependencies and only exposing the values.yaml file.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Argo
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/argo/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/argo/icon/color/argo-icon-color.svg" alt="prometheus logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2021&lt;/li>
&lt;/ul>
&lt;p>We are using all four projects under Argo:&lt;/p>
&lt;ul>
&lt;li>Argo CD: v2.9.22&lt;/li>
&lt;/ul>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;h2 id="platform-engineering---allianz-direct">Platform Engineering @ Allianz Direct&lt;/h2>
&lt;p>Allianz Direct has been working on building Platform Engineering for the past several years. We have created a cloud-native future-proof platform which offers an organisation-wide-devops(orgOps) experience on top of public cloud. Business, Software Engineers, Security, Compliance, Architecture, Support and Cost Efficiency are few of our stakeholders.&lt;/p>
&lt;h3 id="platform-engineering-team-topology---internal">Platform Engineering Team Topology - internal&lt;/h3>
&lt;p>The PE team is internally organised in DDOs - Distributed DevOps, where each ddo owns a Domain.
This setup follows the reverse Conway manoeuver where the reference architecture structure dictates
the teams setup.
The PE team consist of 13 members. All of them internal employees.&lt;/p>
&lt;p>The PE team is being supported by auxiliary teams:
Developer Service Hub (DSH): entry level engineers handling the low complexity tasks such as: access management,
1st level technical support, SRE onboarding, ticket sorting and filtering
Cloud Auditing Hub (CAH): entry level engineers with a focus on compliance and audit
Production Management Hub (PMH): entry level engineers with a focus on incident and problem management
Technical Tribe Leads (TTL): Technical leads on the Tribe (department) level that became our evangelist for best practices and
continuous innovation partners.&lt;/p>
&lt;h3 id="platform-engineering-team-topology---external">Platform Engineering Team Topology - external&lt;/h3>
&lt;p>Externally, the team has decided to scale by building on the concept of FDOs - Federated DevOps, where
each squad (developing team) has built internal devops expertise focusing a minimum amount of time on
Operations concerns. A FDO community has flourished and enabled successfully an extremely aggressive organisation scale up
The PE serves an approx. 500 engineers and 1500 employees.&lt;/p>
&lt;h2 id="platform-engineering-architecture">Platform Engineering Architecture&lt;/h2>
&lt;p>The PE team has built a Cloud Native Platform
that serves the core B2C business of a fully digital insurance player acting on
several european markets.&lt;/p>
&lt;p>&lt;img src="./images/PEArchitecture.jpg" alt="High Level Diagram">&lt;/p>
&lt;p>It serves also all the newly created B2B business initiatives.
The highly aggressive scale-up of the both B2B and B2B businesses forced the PE team to redesign the architecture towards
a multi-tenant architecture with minimum operational effort.
On top, the Platform has become a Organisation Group Standard and an example for Global initiatives. This forced the PE team to
choose a light architecture under a second Platform based on Fargate ECS, reducing the operational effort and talent demand to minimum.&lt;/p>
&lt;p>PE team delivered several cloud native best practices:&lt;/p>
&lt;ul>
&lt;li>GitOps (ORGops to be more precise)&lt;/li>
&lt;li>Stateless clusters orchestrated by a management cluster&lt;/li>
&lt;li>Fargate ECS multitenancy&lt;/li>
&lt;li>DevSecOps&lt;/li>
&lt;li>SRE&lt;/li>
&lt;/ul>
&lt;h3 id="special-projects-that-served-us-well">Special projects that served us well&lt;/h3>
&lt;ul>
&lt;li>
&lt;p>AWS obsession with customers served us well. The technical support and continuous relation with AWS architects
helped us maximise our effectiveness and evolve our architecture as well as complementing our stack with SaaS services
such as EKS, Redis, MSK.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>AWS managed Kubernetes gave us the flexibility we needed to meet our users needs with as little overhead as
possible. Most of our application choices come directly from our users, however our
infrastructure choices were made to balance our compliance needs, usability and supportability.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>ArgoCD has become instrumental for us and the core of our internal innovation. We are currently using it for spinning
up and managing our multitenant implementation whether that is on namespace level or Fargate ECS level.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>PAGT(Prometheus, Alert manager, Grafana and Thanos) stack is the core of our Observability.
It is complemented by OTEL and ELK Stack and enabled us to build a state of the art SRE journey for all our Stakeholders&lt;/p>
&lt;/li>
&lt;/ul>
&lt;h3 id="things-that-worked-well-for-us">Things that worked well for us&lt;/h3>
&lt;p>EKS and now EKS + Fargate ECS works great for us. We can fully owns our core domains and stay hardened with minimum effort.
Complementing our Stack with AWS services especially on Persistence, Data Streaming and Storage increase our innovation speed.
ArgoCD with helm, Atlantis with terraform and Crossplane are working great for us, allowing us to follow the GitOps way,
a great way of working for heavily regulated industries.&lt;/p>
&lt;h2 id="stakeholders-value-streams">Stakeholders value streams&lt;/h2>
&lt;h3 id="business">&lt;strong>Business&lt;/strong>&lt;/h3>
&lt;ul>
&lt;li>Cost savings of X%&lt;/li>
&lt;li>Business Delivery expedited by X%&lt;/li>
&lt;li>Security incidents reduced by X%&lt;/li>
&lt;li>Reliability incidents reduced by X%&lt;/li>
&lt;li>Organizational Performance increased by X%&lt;/li>
&lt;/ul>
&lt;h3 id="end-customers">&lt;strong>End-Customers&lt;/strong>&lt;/h3>
&lt;ul>
&lt;li>User Experience improved by X%&lt;/li>
&lt;li>Fast Feedback loop increased by X%&lt;/li>
&lt;li>Reliability increased by X%&lt;/li>
&lt;/ul>
&lt;h3 id="developers">&lt;strong>Developers&lt;/strong>&lt;/h3>
&lt;ul>
&lt;li>DevX improved by X%&lt;/li>
&lt;li>Fast Software Delivery improved by X%&lt;/li>
&lt;li>Productivity increased by X%&lt;/li>
&lt;li>High Quality increased by X%&lt;/li>
&lt;li>Innovation increased by X%&lt;/li>
&lt;/ul>
&lt;h3 id="security">&lt;strong>Security&lt;/strong>&lt;/h3>
&lt;ul>
&lt;li>Cloud native Security costs reduced by X%&lt;/li>
&lt;/ul>
&lt;h3 id="compliance">&lt;strong>Compliance&lt;/strong>&lt;/h3>
&lt;ul>
&lt;li>Cloud compliance costs reduced by X%&lt;/li>
&lt;/ul>
&lt;h3 id="legal">&lt;strong>Legal&lt;/strong>&lt;/h3>
&lt;ul>
&lt;li>Cloud native legal cost reduced by X%&lt;/li>
&lt;/ul>
&lt;h3 id="qa">&lt;strong>QA&lt;/strong>&lt;/h3>
&lt;ul>
&lt;li>Automation increased by X%&lt;/li>
&lt;/ul>
&lt;h3 id="finopssustainability">&lt;strong>FinOps/Sustainability&lt;/strong>&lt;/h3>
&lt;ul>
&lt;li>Cloud Costs reduced by X%&lt;/li>
&lt;/ul>
&lt;h2 id="some-things-did-not-work-as-expected">Some things did not work as expected&lt;/h2>
&lt;p>Service Mesh did not work well for us. The Operational costs and lack of integration on the CNI level made us revert the journey.
Sidecar, eBPF Service Mesh seems to be the way forward for us.&lt;/p>
&lt;h2 id="architecture-evolution">Architecture evolution&lt;/h2>
&lt;p>The Architecture was designed as a single tenant but due to its success it needed to evolve to support multitenancy on
AWS account level, next on namespace level and now, due to the Global impact, on the Fargate ECS level.
Inevitably we ended with three Platforms(Architectures) that need to be simplify towards a maximum two that will evolve rapidly.
Migration work is inevitable.&lt;/p>
&lt;h2 id="the-journey">The Journey&lt;/h2>
&lt;p>It took us 4 years to move towards the current Platform Engineering setup. There is more to come. The full Journey as it happened till today 28.10.2024 can be seen in the following diagram:&lt;/p>
&lt;p>&lt;img src="./images/PEJourney.jpg" alt="High Level Diagram">&lt;/p></description></item><item><title>Architectures: Scaling Adobe’s Service Delivery Foundation with a Cell-based Architecture</title><link>https://deploy-preview-36--cncfarchitecture.netlify.app/architectures/adobe/</link><pubDate>Fri, 11 Oct 2024 00:00:00 +0000</pubDate><guid>https://deploy-preview-36--cncfarchitecture.netlify.app/architectures/adobe/</guid><description>
&lt;h2 id="relevant-cncf-projects">Relevant CNCF projects&lt;/h2>
&lt;div class="row row-cols-1 row-cols-md-3 mb-4">
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Kubernetes
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/kubernetes/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/kubernetes/icon/color/kubernetes-icon-color.svg" alt="kubernetes logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2019&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> 1.29.6&lt;/li>
&lt;/ul>
&lt;p>Kubernetes has been the foundation for our Internal Developer Platform and almost all of Adobe&amp;rsquo;s containerized workloads run on Kubernetes clusters.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Helm
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/helm/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/helm/icon/color/helm-icon-color.svg" alt="helm logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2019&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> v3.12.3&lt;/li>
&lt;/ul>
&lt;p>Helm is our package manager and helps us abstract out some of the complexity by including them as dependencies and only exposing the values.yaml file.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Argo
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/argo/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/argo/icon/color/argo-icon-color.svg" alt="prometheus logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2022&lt;/li>
&lt;/ul>
&lt;p>We are using all four projects under Argo:&lt;/p>
&lt;ul>
&lt;li>Argo CD: v2.9.22&lt;/li>
&lt;li>Argo Workflow: v3.4.6&lt;/li>
&lt;li>Argo Events: v1.9.0&lt;/li>
&lt;li>Argo Rollouts v1.6.0&lt;/li>
&lt;/ul>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class="col mb-4">
&lt;div class="card h-100">
&lt;div class="card-header">
Backstage
&lt;/div>
&lt;div class="card-body">
&lt;p class="card-text">
&lt;p>&lt;a href="https://www.cncf.io/projects/backstage/">&lt;img src="https://raw.githubusercontent.com/cncf/artwork/main/projects/backstage/icon/color/backstage-icon-color.svg" alt="helm logo">&lt;/a>&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Using since:&lt;/strong> 2023&lt;/li>
&lt;li>&lt;strong>Current version:&lt;/strong> TBD&lt;/li>
&lt;/ul>
&lt;p>Backstage is the backbone for our unified internal developer portal.&lt;/p>
&lt;/p>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;h2 id="developer-platforms--adobe">Developer Platforms @ Adobe&lt;/h2>
&lt;p>Adobe has been working on building an Internal Developer Platform (IDP) for the past several years. We have a core infrastructure layer which offers a compute layer on top of cloud providers such as AWS and Azure. On top of the infrastructure layer, we provide an end-to-end developer experience which helps developers in different phases of SDLC.&lt;/p>
&lt;p>Security, Compliance, Support and Cost Efficiency are cross-cutting concerns for both infrastructure and developer experience.&lt;/p>
&lt;h3 id="developer-experience--flex--adobe">Developer Experience / Flex @ Adobe&lt;/h3>
&lt;p>Adobe offers a rich developer experience to its developers to enable them to write better software faster. This includes a seamless experience for all phases of their application lifecycle: Concept → Code → Cloud → Customer. &lt;strong>Flex&lt;/strong> is the codename for Adobe’s &lt;strong>GitOps&lt;/strong>-based Service Delivery foundation.&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Concept → Code&lt;/strong>: Adobe offers standardized &lt;strong>bootstrappable golden templates&lt;/strong> via the unified developer portal (based on &lt;a href="https://backstage.io/">Backstage&lt;/a>), which provides a guided path that generates boilerplate code (with best practices built-in) for the app and infrastructure.
&lt;ul>
&lt;li>The promise is that you should be able to run and test the app locally right after code generation.&lt;/li>
&lt;li>The generated infrastructure includes, among other things, the manifests for the service’s CI/CD pipeline.&lt;/li>
&lt;li>&lt;em>Toolchain&lt;/em> - The developer portal is based on the industry-standard open-source tool Backstage.&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>&lt;strong>Code → Cloud&lt;/strong>: Adobe offers customizable and flexible GitOps-based CI/CD pipelines (based on Argo projects) to developers.
&lt;ul>
&lt;li>The developers start with a paved path but Flex allows users to customize their CI/CD pipeline if needed, including adding new steps or changing the pipeline DAG.&lt;/li>
&lt;li>The CI/CD pipeline does just-in-time provisioning during deployments i.e. it provisions necessary resources to make deployments successful. For example, DNS endpoints, K8s namespaces, Argo CD apps etc.&lt;/li>
&lt;li>Advanced deployment strategies like Canary, Blue-Green etc. are supported out of the box.&lt;/li>
&lt;li>&lt;em>Toolchain&lt;/em> - We use industry-standard open-source Argo projects: Argo CD, Argo Workflows, Argo Events, and Argo Rollouts.&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>&lt;strong>Cloud → Customer&lt;/strong>: Adobe offers a “Single pane of glass” developer experience (called Flexperience) in the developer portal for managing the application.
&lt;ul>
&lt;li>&lt;em>Toolchain&lt;/em> - The experience is provided as a Backstage plug-in in the developer portal.&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>&lt;strong>Control Plane&lt;/strong> – The control plane for the service delivery workflow is based on AWS EKS clusters.&lt;/li>
&lt;/ul>
&lt;p>Flex has had rapid organic growth in the last 2 years since its launch. Here are some numbers that represent the scale that we are handling (as of Oct 2024):&lt;/p>
&lt;ul>
&lt;li>&amp;gt; 360 remote K8s clusters&lt;/li>
&lt;li>&amp;gt; 22K Argo CD apps&lt;/li>
&lt;li>&amp;gt; 30K deployments per month&lt;/li>
&lt;li>&amp;gt; 1K services in production&lt;/li>
&lt;/ul>
&lt;p>And these numbers are increasing by the day.&lt;/p>
&lt;p>In this article, we will cover Flex’s initial architecture, its challenges, and the need for a re-architecture. Then, we will deep-dive into our new Flex-in-a-box architecture, including the architecture requirements and an introduction to cell-based architecture. We’ll conclude by discussing the benefits, challenges, use cases, and future ideas.&lt;/p>
&lt;h2 id="initial-architecture">Initial Architecture&lt;/h2>
&lt;p>Here is a simplified high-level diagram describing how Flex acts as the foundation between the source (Github), destinations, and the developer surfaces.&lt;/p>
&lt;p>&lt;img src="./images/FlexHighLevel.png" alt="High Level Diagram">&lt;/p>
&lt;p>As you can see in the diagram, the CI/CD foundation acts as the glue between the source and the destinations. The developer surfaces, powered by the foundation, offer paved roads and seamless workflows for various use cases.&lt;/p>
&lt;p>Here is the initial architecture that we started with.&lt;/p>
&lt;p>&lt;img src="./images/InitialArchitecture.png" alt="Initial Architecture Diagram">&lt;/p>
&lt;p>We have a Hub-and-Spoke architecture with the Hub in the middle (aka Flex Hub k8s cluster) connected to the various remote K8s clusters, which act as the spokes. As you can see, we have Git as the source of truth on the left, and K8s clusters as the remote clusters (destinations) on the right.&lt;/p>
&lt;p>We use Argo Workflows for creating the CI/CD pipeline, Argo CD for providing GitOps capabilities, and Argo Events for catching events and triggering workflows. The CI/CD pipeline runs on the Hub cluster in a per-service namespace. Argo Rollouts is installed on remote K8s clusters and provides advanced deployment capabilities with Argo CD. The service runtime runs on namespaces provisioner on these remote K8s clusters.&lt;/p>
&lt;p>Provisioner is a homegrown component that does the just-in-time provisioning during deployments. A couple of home-grown Observability components send events and information to our homegrown Flex backend, where the data is aggregated and exposed via a set of Flex APIs. The Flex developer experience (aka Flexperience) in the Developer Portal / Backstage uses the Flex APIs provided by the Flex backend to populate the service’s info.&lt;/p>
&lt;p>Each service has two repos associated with it: an app repo and a deploy repo. App repo has the code for business logic, and the deploy repo has the configs and manifests for CI/CD, K8s resources etc.&lt;/p>
&lt;h3 id="challenges-with-initial-architecture">Challenges with Initial Architecture&lt;/h3>
&lt;p>While the initial architecture provided a starting point, it had its challenges. We realized these challenges after 6 months when we crossed approximately 2.5K Argo CD applications.&lt;/p>
&lt;p>&lt;strong>No tuning&lt;/strong> - We used the Argo components with no/minimal tuning, and realized that there were several knobs and controls available on the Argo components that could be leveraged to improve the stability, performance, and scalability of the components.&lt;/p>
&lt;p>&lt;strong>Heavy load on K8s control plane&lt;/strong> - Flex Hub cluster is based on AWS EKS, and we just had one Hub cluster. We realized that Argo CD and Argo Workflows interact heavily with the EKS control plane, which includes the K8s API Server and etcd. The CI/CD experience is severely impacted when the K8s control plane is under heavy load.&lt;/p>
&lt;p>&lt;strong>Shared control plane&lt;/strong> - Both Argo CD and Argo Workflows were running on the same EKS cluster, which multiplied the overhead and load on the EKS control plane. This impact was observed in terms of degraded latency of the K8s API server, high etcd usage/churn etc., that caused a severe impact on the performance of anything interacting with the K8s control plane, including the Argo components. As a result, the user experience was getting impacted and client deployments were either taking a long time or failing.&lt;/p>
&lt;p>&lt;strong>No automation to create Flex Hub cluster&lt;/strong> - Flex Hub cluster was brought up manually, over many quarters, by different individuals. We did not have a concrete list of steps and automation to bring up a Flex Hub cluster, thereby putting us at risk if the Hub cluster goes down. It was a huge risk for the platform team and client teams because it would have taken us a long time to create a new one, and client deployments would have been stuck during that duration.&lt;/p>
&lt;p>As a result of these challenges, we experienced several outages for the developer experience CI/CD workflows, including slow builds, hung workflows, and deployments taking too long, among other things.&lt;/p>
&lt;h2 id="potential-solutions">Potential Solutions&lt;/h2>
&lt;p>Given the problems we faced, we realized quickly that one Flex Hub cluster would not be enough. We invested heavily in vertically scaling Flex Hub cluster by tuning and optimizing the Argo components, EKS control plane, and homegrown tooling. This helped us get out of the woods and support &amp;gt;10K Argo CD apps. While we will continue to scale Flex Hub cluster vertically to support more services/Argo CD apps, we knew that the runway will be limited.&lt;/p>
&lt;p>We were projecting 10X growth in the next two years, and one Flex Hub cluster could not support all that scale alone. We needed more than one Flex Hub cluster.&lt;/p>
&lt;h3 id="scale-up">Scale Up&lt;/h3>
&lt;p>There were a lot of configuration changes and optimizations we did to scale Flex Hub cluster vertically. These included:&lt;/p>
&lt;ul>
&lt;li>Scale up replica count for Argo CD application controller and repo server&lt;/li>
&lt;li>Ask Argo CD to exclude resources that we should not manage&lt;/li>
&lt;li>Tune Argo CD self-heal and reconciliation timeouts&lt;/li>
&lt;li>Adjust Argo CD repo server parallelism&lt;/li>
&lt;li>Enable gzip compression for server responses&lt;/li>
&lt;li>Archive old Argo Workflows by setting a short TTL&lt;/li>
&lt;li>Switch from K8s APIs to Argo CD APIs to leverage informer cache&lt;/li>
&lt;/ul>
&lt;p>This list is not exhaustive and there were many more improvements which helped us tremendously. We have talked about some of these improvements in previous talks:&lt;/p>
&lt;ul>
&lt;li>&lt;a href="https://www.youtube.com/watch?v=7yVXMCX62tY">Key Takeaways from Scaling Adobe&amp;rsquo;s CI/CD Solution to Support 50K Argo CD Apps (KubeCon EU 2024)&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://www.youtube.com/watch?v=MDXrc_cLVns">Scaling a GitOps Platform at Adobe (GitOpsCon 2024)&lt;/a>&lt;/li>
&lt;/ul>
&lt;h3 id="scale-out">Scale Out&lt;/h3>
&lt;p>While the scale-up improvements were helping, we decided to re-architect. Though we had a couple of options, we decided to scale horizontally by having more than one Flex Hub cluster because it satisfied many of the architecture requirements (listed below) and gave us the biggest bang for the buck.&lt;/p>
&lt;p>This was not going to be easy, because we had hundreds of production services running and we did not want to impact any of them. The rest of the article goes into the details of how we approached the re-architecture.&lt;/p>
&lt;h3 id="flexbox-concept">Flexbox concept&lt;/h3>
&lt;p>As a first step, we came up with the concept of a &lt;strong>Flexbox&lt;/strong>. A Flexbox is a collection of Flex components that work together to provide the GitOps foundation for our CI/CD solution. We called the Flex Hub K8s cluster which formed the basis of our initial architecture, Flexbox 1.&lt;/p>
&lt;p>Keeping future extensibility in mind, we also decoupled the concept of Flexbox from clusters. A Flexbox can be extended to support many physical and virtual Hub clusters inside it. Because the initial architecture had just one physical Flex Hub cluster, Flexbox 1 also had one Hub cluster.&lt;/p>
&lt;h2 id="new-architecture-requirements">New Architecture Requirements&lt;/h2>
&lt;p>We came up with the following key requirements for the new architecture.&lt;/p>
&lt;ol>
&lt;li>Ability to &lt;strong>predictably add scale&lt;/strong> (horizontally and vertically) as needed, for short-term and future needs.&lt;/li>
&lt;li>Ability to &lt;strong>relocate services&lt;/strong> out of Flexbox 1 and relieve pressure.&lt;/li>
&lt;li>The services should not decide which Flexbox they are on.&lt;/li>
&lt;li>&lt;strong>No impact of rearchitecture on any existing services&lt;/strong> (runtime or CI/CD) on Flexbox 1.&lt;/li>
&lt;li>No impact on service runtime during box-2-box relocation.&lt;/li>
&lt;li>A service (app and deploy repos) should be associated with one Flexbox at a time.&lt;/li>
&lt;li>Minimal impact/downtime during relocation to the service’s CI/CD pipeline, if at all.&lt;/li>
&lt;li>During relocation, the service owners should be aware of the relocation and the downtime.&lt;/li>
&lt;li>Ability to support more than one physical or virtual clusters inside a Flexbox.&lt;/li>
&lt;li>Ability to support non-container workflows as well e.g. Serverless, Cloud Infrastructure etc.&lt;/li>
&lt;/ol>
&lt;h2 id="what-is-cell-based-architecture">What is Cell-Based architecture&lt;/h2>
&lt;p>Cell-based architecture is an architecture pattern that involves designing systems with multiple cells capable of executing the designated tasks independently. The basic idea is to have the ability to scale out by adding identical cells that handle the same kind of workload and isolate fault boundaries to limit the impact in case of failures.&lt;/p>
&lt;p>Each cell is independent, does not share any state with other cells, and handles a subset of the overall workload requests. This reduces the potential impact of a failure, such as a bad software update, on an individual cell and the requests that it&amp;rsquo;s processing.&lt;/p>
&lt;p>Here&amp;rsquo;s a diagram that depicts the cell-based architecture at a high level:
&lt;img src="./images/CellBasedArchitecture.webp" alt="Cell-based Architecture Diagram">&lt;/p>
&lt;p>More details here:
Diagram Source: &lt;a href="https://newsletter.systemdesign.one/p/cell-based-architecture">https://newsletter.systemdesign.one/p/cell-based-architecture&lt;/a> &lt;br>
Reference: &lt;a href="https://docs.aws.amazon.com/wellarchitected/latest/reducing-scope-of-impact-with-cell-based-architecture/what-is-a-cell-based-architecture.html">https://docs.aws.amazon.com/wellarchitected/latest/reducing-scope-of-impact-with-cell-based-architecture/what-is-a-cell-based-architecture.html&lt;/a>&lt;/p>
&lt;h2 id="flex-in-a-box-fiab-architecture">Flex-in-a-Box (FiaB) architecture&lt;/h2>
&lt;p>With the requirements above, we developed a &lt;strong>Flex-in-a-box (FiaB) architecture&lt;/strong>. This architecture allows us to encapsulate Flex components in boxes and easily replicate them to add scale on demand. We started by adding a new Flexbox 2. Before FiaB, all services were associated with Flexbox 1. This means that the CI/CD pipelines for these services run on Flexbox1. With FiaB and newer Flexboxes, now services can be onboarded to Flexbox 2 also, and any of the future Flexboxes.&lt;/p>
&lt;p>To keep the impact of architectural changes to a minimum, we decided to have just one physical Hub cluster in Flexbox 2 too, and make it very similar to the Flex Hub cluster in Flexbox 1.&lt;/p>
&lt;p>Our FiaB architecture is based on three Rs:&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Recreation&lt;/strong> – Ability to (re)create and upgrade more Flexboxes with repeatability and predictability, with a GitOps-based CI/CD pipeline.&lt;/li>
&lt;li>&lt;strong>Redirection&lt;/strong> – Ability for Flex admins to decide which service maps to which Flexbox via declarative rules, and have services routed to the correct boxes based on those rules.&lt;/li>
&lt;li>&lt;strong>Relocation&lt;/strong> – Ability to relocate a service (with automation) from one Flexbox to another with zero downtime for the service runtime, zero work for the service team, and minimal downtime (&amp;lt; 15 mins) for the CI/CD pipeline.&lt;/li>
&lt;/ul>
&lt;p>Here’s a diagram that captures these three concepts. More details on these 3 Rs below.&lt;/p>
&lt;p>&lt;img src="./images/FiaBArchitecture.png" alt="3R diagram">&lt;/p>
&lt;h3 id="recreation">Recreation&lt;/h3>
&lt;p>We created a GitOps-based pipeline for Flexbox lifecycle management. This means that there is a Flexbox config in Git which defines what a Flexbox looks like. Here is a diagram showing the workflow in action:&lt;/p>
&lt;p>&lt;img src="./images/FiaBAutomation.png" alt="Recreation diagram">&lt;/p>
&lt;p>As can be seen from the diagram, any changes to the Flexbox config triggers a Flexbox automation Argo workflow. The workflow has a series of steps that automate the setup of a Flexbox on top of an EKS cluster.&lt;/p>
&lt;p>The workflow has two key objectives:&lt;/p>
&lt;ol>
&lt;li>Creates the Helm charts for the various Flexbox components - This step understands the Flexbox configs and creates the Helm charts for Flexbox components, including Argo CD, Argo Workflows, Argo Events, Provisioner and Monitoring.
&lt;ul>
&lt;li>The workflow step then commits these Helm charts to Git, allowing Argo CD apps to sync these changes to the destination Flexbox.&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>Provisioning resources for Flexbox components, including creating Argo CD apps for each of the Flex components (Argo CD, Argo Workflows, Argo Events etc.) that need to be installed in the Flexbox. It’s an Argo of Argos architecture, where an Argo CD 0 (level zero) manages the Argo CD apps (level 1) for the various Flex components to be deployed on the destination Flexbox.&lt;/li>
&lt;/ol>
&lt;h3 id="redirection">Redirection&lt;/h3>
&lt;p>Once we have a new Flexbox, we need the ability to map services to Flexboxes and redirect the Github events to the correct Flexbox. This function is performed by a new component called &lt;strong>Redirector&lt;/strong>, which sits between Github and the Flexboxes (as can be seen in the new architecture diagram above).&lt;/p>
&lt;p>Loosely speaking, Redirector acts as a poor man&amp;rsquo;s load balancer for Flexboxes. When the first event arrives for any service, Redirector evaluates the rules defined by Flex admins and maps the service to a Flexbox based on the rules. These rules are specified declaratively in a Github repo for Redirector by Flex admins. Redirector stores the box&amp;lt;&amp;gt;service mapping in a DB for future reference. For any subsequent GitHub events, it just picks up the mapping from the DB and routes the events to the appropriate Flexbox.&lt;/p>
&lt;h3 id="relocation">Relocation&lt;/h3>
&lt;p>While Flexbox 2 and other components in FiaB architecture were being built, there was constant organic adoption of Flex, Flexbox 1 was getting filled up and was under increasing pressure.&lt;/p>
&lt;p>To relieve the pressure on Flexbox 1 and future use cases too, we needed a way to cleanly relocate a service from a source Flexbox to a destination Flexbox, without disrupting the service runtime. We created a new component called &lt;strong>Relocator&lt;/strong> which does just that. Here are the four broad phases in the Relocator:&lt;/p>
&lt;ol>
&lt;li>&lt;strong>Stop the service’s CI/CD pipeline on source Flexbox&lt;/strong> - This would include pausing the Argo CD sync and stopping Redirector from sending the events for this service to the source Flexbox. This step also flags the service status (in Redirector) as “relocating” which helps us inform the developers that their service’s deployment pipeline is “under maintenance”.&lt;/li>
&lt;li>&lt;strong>Recreate the service’s CI/CD pipeline on the destination Flexbox&lt;/strong> - This includes recreating/copying the resources in the source Flexbox on the destination Flexbox.&lt;/li>
&lt;li>&lt;strong>Validate and start the service’s CI/CD on destination Flexbox&lt;/strong> - This includes starting the Argo CD sync and allowing Redirector to send the events for this service to the destination Flexbox.&lt;/li>
&lt;li>&lt;strong>Delete Flex pipeline on source Flexbox&lt;/strong> - Once everything is working fine, delete the resources on the source Flexbox to clean things up. This step also removes the “relocating” service status in Redirector.&lt;/li>
&lt;/ol>
&lt;h3 id="flex-in-a-box-fiab-vs-cell-based-architecture">Flex-in-a-box (FiaB) vs Cell-based architecture&lt;/h3>
&lt;p>When we started on FiaB, we did not use cell-based architecture as a reference. We realized later when we had conceived the new architecture that it is conceptually very similar to cell-based architecture.&lt;/p>
&lt;p>In terms of comparison, a Cell in a cell-based architecture is loosely equivalent to a Flexbox in Flex-in-a-Box (FiaB).&lt;/p>
&lt;h2 id="benefits--what-worked-well">Benefits / What worked well&lt;/h2>
&lt;p>The new Flex-in-a-box architecture offers various benefits:&lt;/p>
&lt;ol>
&lt;li>&lt;strong>“Stamp” setup&lt;/strong> - Ability to predictably and reliably create new Flexboxes.&lt;/li>
&lt;li>&lt;strong>Scale horizontally&lt;/strong> - Industry-proven way to scale horizontally by adding scale on demand.&lt;/li>
&lt;li>&lt;strong>Reduce existing load&lt;/strong> - Ability to relieve pressure on a Flexbox by allowing us to relocate services across Flexboxes, without any downtime.&lt;/li>
&lt;li>&lt;strong>Minimal relocation impact&lt;/strong> - Minimal impact/downtime to the service’s CI/CD pipeline for the duration of the relocation.&lt;/li>
&lt;li>&lt;strong>Abstracted Flexbox mapping&lt;/strong> - Service teams need not worry about which Flexbox they are on. Flex team decides the service&amp;lt;&amp;gt;Flexbox mapping.&lt;/li>
&lt;li>&lt;strong>Dedicated Flexboxes&lt;/strong> - Ability to provide dedicated Flexboxes to teams if need be.&lt;/li>
&lt;li>&lt;strong>Enhanced testing ability&lt;/strong> - Allow Flex team to test features/rollouts/infrastructure better using multiple boxes.&lt;/li>
&lt;li>&lt;strong>Configuration flexibility&lt;/strong> - Different Flexboxes may have different versions of Flex components installed if need be. In fact, different Flexboxes may have different components altogether. For example, one may host GitHub Action runners inside a Flexbox, rather than Argo Workflows. One Flexbox may have two clusters in it. We need to be wary of snowflakes though.&lt;/li>
&lt;li>&lt;strong>Better audit&lt;/strong> - Ability to track, monitor and audit GitHub events coming via Redirector.&lt;/li>
&lt;li>&lt;strong>Efficiency&lt;/strong> - Ability to maintain Flexboxes at optimum capacity rather than stretching one Flexbox to the limit.&lt;/li>
&lt;li>&lt;strong>Limit blast radius&lt;/strong> - If one of the boxes goes down, only services mapped to that Flexbox are affected, and can be relocated.&lt;/li>
&lt;li>&lt;strong>Better disaster recovery&lt;/strong> - Ability to recover quickly from disasters because of relocation.&lt;/li>
&lt;/ol>
&lt;h2 id="performance-tests--benchmarking">Performance Tests / Benchmarking&lt;/h2>
&lt;p>We did several benchmarking and testing efforts to see the benefits of the various vertical and horizontal scaling improvements.&lt;/p>
&lt;p>We recently presented them with the details at KubeCon EU 2024. Here’s the link: &lt;br>
&lt;a href="https://www.youtube.com/watch?v=7yVXMCX62tY">Key Takeaways from Scaling Adobe&amp;rsquo;s CI/CD Solution to Support 50K Argo CD Apps&lt;/a>&lt;/p>
&lt;p>We also published a blog with focus on Argo Workflows scalability testing:&lt;br>
&lt;a href="https://cnoe.io/blog/argo-workflow-scalability">Argo Workflows Controller Scalability Testing on Amazon EKS&lt;/a>&lt;/p>
&lt;h2 id="challenges--risks">Challenges / Risks&lt;/h2>
&lt;p>While this architecture works well for us and provides us with a lot of flexibility, every architecture has some challenges, risks and overheads. Here are a few for FiaB architecture:&lt;/p>
&lt;ol>
&lt;li>&lt;strong>Infrastructure cost&lt;/strong> - There is some extra cost of running each Flexbox due to the additional control plane and the extra capacity buffer per cluster.&lt;/li>
&lt;li>&lt;strong>Complexity&lt;/strong> - Architecture becomes more complex because of adding a new Redirector component between GitHub and Flexbox. As a side effect, Redirector becomes a single point of failure across Flexboxes.&lt;/li>
&lt;li>&lt;strong>Thresholds/Limits&lt;/strong> - Defining and managing limits for each Flexbox is a challenge.&lt;/li>
&lt;li>&lt;strong>Support cost&lt;/strong> - The support team has to understand the role played by Redirector and Relocator when troubleshooting issues.&lt;/li>
&lt;li>&lt;strong>User experience&lt;/strong> - If a service gets relocated, some links exposed to clients may change e.g. Argo CD and Argo Workflows URLs, along with Hub cluster information.&lt;/li>
&lt;/ol>
&lt;h2 id="use-cases">Use cases&lt;/h2>
&lt;p>The Flex-in-a-box architecture opens up a world of possibilities for us in the future. Here are a few use cases:&lt;/p>
&lt;ol>
&lt;li>&lt;strong>Dedicated Flexboxes for specific orgs/teams&lt;/strong> - Some teams have already requested dedicated Flexboxes for their teams to effectively manage the noisy neighbor problem, and also enable efficient chargeback.
&lt;ul>
&lt;li>This also allows us to shard the clusters better across Flexboxes.&lt;/li>
&lt;/ul>
&lt;/li>
&lt;li>&lt;strong>Domain-specific Flexboxes&lt;/strong> - Specific Flexboxes could be dedicated to specific domains. For example:
&lt;ol>
&lt;li>Windows - Windows builds are a different beast than builds for Linux. Services workflows needing Windows builds may get routed to a Flexbox with specific tools/components to do a Windows build.&lt;/li>
&lt;li>Desktop / Mobile - Builds for desktop and mobile apps may need a dedicated build farm. One or more Flexboxes can be designated/dedicated for this.&lt;/li>
&lt;li>Cloud Infrastructure Provisioning - Cloud infrastructure provisioning requires custom operators and may need a separate Flexbox to ensure that specific custom operators do not adversely affect the performance of existing workloads. We can provide a dedicated box for hosting such workloads.&lt;/li>
&lt;li>FaaS/Wasm - Building and testing Wasm modules could be very different than building containers. We can provide a dedicated box for hosting FaaS workflows.&lt;/li>
&lt;/ol>
&lt;/li>
&lt;li>&lt;strong>Toolchain-specific Flexboxes&lt;/strong> - Flexboxes could cater to specific toolchains too. For example, if a service is using GitHub Actions (GHA) as the technology for pipeline creation and executions, GHA runners for the same could run in a specific Flexbox.&lt;/li>
&lt;/ol>
&lt;h2 id="whats-next--future-exploration">What&amp;rsquo;s Next / Future Exploration&lt;/h2>
&lt;h3 id="flex-in-a-box-improvements">Flex-in-a-Box improvements&lt;/h3>
&lt;p>While this architecture will serve us well in the future, here are some areas of future exploration:&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Better sharding&lt;/strong> - As of now, all remote clusters are registered with Flexbox 1 and Flexbox 2. There is a hidden performance impact on the remote cluster for each Argo CD instance monitoring it. We can improve the sharding to have specific orgs/services on a specific Flexbox. This allows only clusters associated with those services to be registered with Argo CD on that box.&lt;/li>
&lt;li>&lt;strong>Split Argo CD and Argo Workflows across clusters&lt;/strong> - One of the challenges with current architecture is that both Argo CD and Argo Workflows are on the same cluster. This can be improved by running Argo CD on a cluster other than the one running Argo Workflows. This separate cluster could be another physical cluster in the same Flexbox, or it could be a virtual cluster (e.g. vCluster) running on the existing physical/host cluster.&lt;/li>
&lt;/ul>
&lt;h3 id="open-sourcing">Open-sourcing&lt;/h3>
&lt;p>Alongside the architecture improvements, Adobe is an integral part of CNOE cohort and we are working with a few companies (inside and outside of CNOE) to see how they can use what we have already built, and open-source Flex (or perhaps parts of it to start with).&lt;/p>
&lt;h3 id="unified-cicd">Unified CI/CD&lt;/h3>
&lt;p>We have started a new initiative called Unified CI/CD which has the following goals:&lt;/p>
&lt;ol>
&lt;li>&lt;strong>Beyond containers&lt;/strong> - We primarily cater to container based workloads and this initiative helps us serve non-container use cases such as mobile, static website, desktop, serverless etc.&lt;/li>
&lt;li>&lt;strong>Secure by default&lt;/strong> - We aim to incorporate all non-negotiable security best practices by default in our pipelines and enforce them.&lt;/li>
&lt;li>&lt;strong>Sealed Paved Roads&lt;/strong> - We are working towards providing paved roads/paths for the most common use cases and make them &lt;strong>&amp;ldquo;sealed&amp;rdquo;&lt;/strong>, minimizing the need (and making it hard) to deviate from the paved road while ensuring standardization, configurability, security, compliance, and other best practices.&lt;/li>
&lt;li>&lt;strong>Simplified workflows&lt;/strong> - Make the workflows simpler to ensure faster onboarding, reduced time for &amp;ldquo;zero to first commit&amp;rdquo;, faster “Concept -&amp;gt; Code -&amp;gt; Running state”.&lt;/li>
&lt;/ol>
&lt;h2 id="key-takeaways--lessons-learnt">Key Takeaways / Lessons Learnt&lt;/h2>
&lt;p>There were many key takeaways in this journey and several lessons learnt that can benefit the community. Here are a few:&lt;/p>
&lt;ol>
&lt;li>&lt;strong>Developer Experience as a Product&lt;/strong> - Developer Experience should be treated as a product and non-functional requirements (NFRs, such as scalability, stability, performance etc.) should be given as much importance as functionality.&lt;/li>
&lt;li>&lt;strong>Plan for future scale&lt;/strong> - Plan upfront about horizontal and vertical scaling needs, and how a combination of the two can help you achieve your scaling needs. The architecture should be able to evolve to handle future requirements and scale.&lt;/li>
&lt;li>&lt;strong>Sharding Strategy&lt;/strong> - Think of a sharding strategy for your services depending on your requirements. For Adobe, specific orgs/services on a specific Flexbox works out well.&lt;/li>
&lt;li>&lt;strong>Flexbox automation&lt;/strong> - Automate the creation of “your Flexboxes” from the beginning. This helps bring in predictability and reliability.&lt;/li>
&lt;li>&lt;strong>Performance Monitoring&lt;/strong> - Monitor key performance metrics from the beginning to figure when your infrastructure is under stress. We figured it too late and it led to clients facing issues before we could detect them.&lt;/li>
&lt;li>&lt;strong>K8s Control Plane as the bottleneck&lt;/strong> - We realized it pretty late that K8s control plane can become a bottleneck and how Argo CD and Argo Workflows can pound the K8s API server. Avoid having Argo CD and Argo Workflows on the same cluster.&lt;/li>
&lt;li>&lt;strong>Plan for Disasters / Relocation&lt;/strong> - Disasters will happen. Clusters will go down. Think of how you would deal with it. Can you relocate workloads to another cluster? Another Flexbox? What would be the Developer Experience before/during/after relocation?&lt;/li>
&lt;/ol>
&lt;h2 id="conclusion">Conclusion&lt;/h2>
&lt;p>A rich and seamless developer experience acts as a developer productivity multiplier and helps any enterprise compete better. Flex-in-a-box architecture provides Adobe with a solid foundation which we can use to scale our current developer experience foundation for future needs. This includes developer experience needs for use cases such as Windows, Serverless, Cloud Infrastructure, Desktop and Mobiles, Static Websites etc.&lt;/p>
&lt;h2 id="discussion">Discussion&lt;/h2>
&lt;p>End user members may participate in the &lt;a href="https://github.com/cncf/tab/discussions/138">discussion thread&lt;/a> for this architecture.&lt;/p></description></item></channel></rss>