Sporting a Chef’s hat at ChefConf 2018 in Chicago last month, Arun Gupta, Principal Open Source Strategist at Amazon Web Services, asked a question that a lot of you have been pondering; “Do I still need Chef in the world of containers?”
During his keynote Arun opened with a restatement of the AWS Shared Responsibility Model, wherein “Security in the Cloud” is the customers responsibility and “Security of the Cloud” is AWS’. This model extends into how Chef plays with the infrastructure used to host the containers across the control plane (cluster manager, scheduler and controllers) and the worker nodes (data plane).
This is where Chef Automate comes in to manage the worker nodes within the data plane. Using Chef and InSpec to manage the underlying infrastructure running the worker nodes is true for both Amazon ECS and the newly introduced EKS. Both ECS and EKS are examples of managed control planes.
The worker nodes are often created using a default image. Following the AWS shared responsibility model, it’s the customer’s responsibility to ensure compliance of the worker nodes according to the customers specified compliance profile. Using AWS OpsWorks for Chef Automate, customers can automatically bootstrap the nodes used as part of the container data plane, use InSpec to detect, and Chef to correct and automate the process of ensuring compliance of the container worker nodes.
Arun was joined on stage by his colleague Darko Mesaroš to demonstrate automating the compliance of a Kubernetes Cluster using OpsWorks for Chef Automate. While Darko specifically used Kubernetes in his demo, the concepts can be used towards any container orchestration. And to allow the community to benefit from AWS’s work in this area, Arun and Darko open sourced the demo code to the community at the end of their presentation. The code, along with more information about the integration, can be downloaded from this Github repo.
Running containers? Don’t ignore the underlying worker nodes. Easily get started using OpsWorks for Chef Automate and offload the task of running the infrastructure to AWS. You can also download the code used in the ChefConf demo here.