...
Delft-FEWS system installation on regular hardware / VMS is currently done by installing RPMs, unzipping the binaries, setting OS environment variables and starting a launcher service. For installation in Kubernetes this is not going to be much different. Usually this is controlled using data driven yaml / json configuration files to apply the needed actions.
...
Based on Webinar content / known FAQs specify a number of sub-topics, like
...
- Costs
Scalability
Kubernetes/Containers
...
There is no actual requirement for the Delft-FEWS components to use managed services. Managed services can be used as long performance is not affected. As an example, customers that are using SQLServer database replication between different geographical locations reported database timeouts. In response, we've adjusted our database indexes and reconnection strategy for these problems. Since we expect Delft-FEWS users add many more simultaneous running Forecasting Shell servers in the future, we expect / foresee more challenges in this area. It is much better not to use the automated placement of database indexes.
How to deal with (incoming, outgoing) data feeds
- for file-based imports, use sftp,
- server based imports
Security
Securing your cloud assets requires continuous investment in keeping your containers safe. An infamous example of malconfigured Kubernetes has been Tesla's unsecured admin console for a Kubernetes cluster (Lessons from the Cryptojacking Attack at Tesla). This led to malicious actors getting hold of credentials for Tesla's wider AWS environment who used it for cryptomining. Tesla highlighted that it was a test instance "only", but this incident shows why it's really important to secure both production and pre-production resources as far as possible.
...
Bottom line is to ensure / check any Kubernetes instances you manage are appropriately secured. Use of cloud managed Kubernetes platforms (AKS, EKS, GKE) will generally make this easier and give you more confidence compared to situations where you have to run your own cluster, as the cloud provider will take care of many aspects of configuration. But regardless, be aware that running a Kubernetes cluster well and securely is a big undertaking that requires serious, proactive and ongoing effort to keep things secure and maintained.
Deltares recommends a three-layered approach:
- The inner layer is the central database (and optionally Deltares Open Archive).
- The middle layer are the components that communicate directly with the database using encryption.
- The third layer (optional) is a reverse proxy to the database that can be accessed externally.
Best practices & recommendations
...