3 min Applications

Pulumi expands arsenal to alleviate Kubernetes headaches

Improved security, greater scalability ánd more flexibility

Pulumi expands arsenal to alleviate Kubernetes headaches

Pulumi, provider of Infrastructure as Code (IaC) solutions for managing Kubernetes and cloud environments, is releasing a series of new features that improve security, flexibility, and scalability for Kubernetes teams.

Chief among them are improvements to the Amazon Elastic Kubernetes Service (EKS) provider, an update to the Pulumi Kubernetes Operator and new integration with Kubernetes’ External Secrets Operator. These updates simplify Kubernetes management, increase security and align configurations in complex cloud-native environments.

First, Pulumi’s latest EKS provider v3 now supports two major operating systems –Amazon Linux 2023 and Bottlerocket. The provider is tailor-made for the managed Kubernetes service of Amazon Web Services (AWS). For context, Amazon Linux 2023 is specifically for running general-purpose workloads in AWS services. Meanwhile, the Bottlerocket OS (also developed by AWS, by the way) focuses on running containerized applications with particular attention to security.

Pod-level access control

In addition, the EKS v3 provider now includes EKS Security Groups for Pods and Network Policies. These improve the ability to segment and control pod-level network access within Kubernetes clusters. That makes it easier for IT teams to isolate sensitive workloads and apply security policies directly to these. Particularly important in multi-tenant environments.

Because we don’t expect every reader of Techzine to already be a Kubernetes expert, Pods are the smallest unit within Kubernetes for setting up one or more containers that share resources together. They can be set up, scaled, or destroyed at will, which can be immensely useful when managing large distributed workloads. Pods are managed through Kubernetes clusters, from which nodes and other components are also managed.

Each stack its own pod

A further enhancement is for Pulumi Kubernetes Operator, now up to version 2. Here, there is a new approach with dedicated workspace pods. Each stack is isolated in its own ‘workspace’ pod, allowing better resource separation and more security for separate multi-team or multi-project environments.

This approach is scalable, gives teams more control over resource allocation, and ensures that workloads stay neatly within their own stack. According to Pulumi, this setup is especially useful for teams using a GitOps workflow, where the process of updating and managing applications happens through changes to the code.

Pulumi’s setup allows each part of the application infrastructure (such as servers, networking and storage) to be organized separately. This structure gives the customer more control over each component, even if the application consists of multiple interconnected components that depend on each other to work properly.

Secrets as an environment variable

Pulumi has further found an innovative way to keep secret data safe. It integrates its recently introduced Environments, Secrets, and Configuration (ESC) service with Kubernetes’ own External Secrets Operator (ESO). This integration allows secrets such as passwords and API keys to be injected directly into Kubernetes applications as environment variables.

The ESC/ESO integration enables Kubernetes applications to retrieve credentials without exposing them in the application code by retrieving such secrets from secure sources such as Azure Key Vault or 1Password. This results in easier management and enforces best practices in handling secrets. The result is less chance of misconfigurations or leaks—at least that’s the intention.

These additions fit quite neatly into Pulumi’s broader Infrastructure-as-Code approach. It allows developers to manage their cloud and Kubernetes resources through code rather than relying on lengthy YAML configurations. While these may be easier to set up individually, companies running a serious number of workloads across multiple environments may benefit greatly from the simplification offered by IaC.

Also read: Pulumi introduces ESC for centralized secrets management