What is a hosted control plane?
A hosted control plane is a term used to describe a decoupled management plane that enables consolidated control and management of core control plane components. In this article, we will explore the concept of hosted control planes and detail their benefits for Red Hat® OpenShift® Container Platform and Red Hat OpenShift Service on AWS with hosted control planes.
Benefits of hosted control planes
Hosted control planes for OpenShift Container Platform help pave the way for a true hybrid cloud approach and other benefits.
First, hosted control planes allow for running control planes on smaller nodes. As a result, clusters are more affordable.
Moreover, the control planes consist of pods that are launched on OpenShift Container Platform, which means that control planes start quickly. The same principles apply to control planes and workloads, such as monitoring, logging, and auto-scaling.
From an infrastructure perspective, HAProxy, cluster monitoring, storage nodes, and other infrastructure components can be pushed to a separate cloud provider account, isolating usage from the control plane.
The operation of managing a fleet of clusters is more centralized, which helps reduce external factors that can affect the cluster status. Site reliability engineers (SREs) have a centralized place to debug issues and navigate to the data plane, which can lead to shorter Time to Resolution (TTR) and greater productivity.
Another benefit of a hosted control plane is improved isolation. The security boundaries between management and workloads are stronger because the control plane is decoupled. This helps reduce the chances of credential leaks and accidental control plane infrastructure deletion.
Hosted control planes in Red Hat OpenShift
The standalone control plane is hosted by a dedicated group of physical or virtual nodes, with a minimum number to ensure a quorum. Additionally, the network stack is shared. Administrator access provides visibility on the state of the cluster by showing its control plane, machine management APIs, and other components.
This standalone model is desirable in some cases, but other situations require the control plane and data plane to be decoupled.
In that scenario, the data plane is on a separate network domain with a dedicated physical hosting environment. The control plane is hosted using high-level primitives, such as deployments that are native to Kubernetes.
Among other things, hosted control planes for Red Hat OpenShift accomplish the following:
- Decouple the control plane from the data plane (workers).
- Separate network domains.
- Provide a centralized interface for administrators and SREs.
In other words, the control plane performs like any workload. You can use the same stack to monitor, secure, and operate your applications and to manage the control plane.
Tune in for more
Don’t miss this episode of “Ask an OpenShift Admin,” when Andrew Sullivan and Jonathan Rickard talk about hosted control planes in Red Hat OpenShift.
Red Hat OpenShift Service on AWS (ROSA) with hosted control planes
Red Hat OpenShift Service on AWS (ROSA) with hosted control planes is a new deployment model for ROSA in which the control plane is hosted in a ROSA service AWS account, rather than the customer’s individual AWS account.
Hosting and managing the control plane in a ROSA service AWS account provides the most effective and efficient use of customer resources, resulting in significant cost savings, faster provisioning time, improved security posture and increased reliability for ROSA customers. With this, users experience a multitude of benefits, such as:
- Quickly and easily spin up or tear down clusters when not in use for efficiency and cost savings.
- More flexibility and portability for annual billing, allowing customers to easily change between node types.
- Smaller overall footprint.
- API availability within approximately 15 minutes for a new cluster lets you get started, build, and deploy apps faster.
- Seamless autoscaling of control plane.
- Control plane is always highly available over multiple availability zones.
- Selectively upgrade control plane and worker nodes separately, giving increased control and flexibility for customers.
- Increased resiliency and reliability by offloading control plane infrastructure management, reducing the chance of error or deletion of resources.
How Red Hat OpenShift Service on AWS with hosted control planes helps you work
Having the control plane hosted and managed in a ROSA service AWS account rather than in the customer’s individual account offers advantages to help you work.
Provisioning is streamlined, reducing the time it takes to start deploying applications. Additionally, workload scheduling is dependent on only worker nodes, which simplifies both building and deployment. ROSA with hosted control planes also removes the need for manually scaling the control plane, as this is managed automatically in the ROSA service AWS account.
By offloading the control plane infrastructure management from the end-user, there is no longer a chance for accidental deletion of cloud resources. This is because AWS administrators will interact only with the workloads, not the control plane artifacts. Users can selectively upgrade control plane and worker nodes separately, giving increased control and flexibility.
Purpose-built for managed services, the latest iteration of ROSA streamlines how organizations deploy and manage their ROSA clusters at scale. This improved architecture provides a number of business benefits already highlighted, but it also provides many technological benefits as well.
Cluster administrators can upgrade the control plane more efficiently with this approach than with ROSA Classic (standalone). Hosted control planes decouple the architecture, allowing administrators to maintain the control plane without having to upgrade the entire cluster. Various resources are moved outside the scope of the cluster boundary, and now rely on a single source of truth available through the ROSA command line interface (CLI) or OpenShift Cluster Manager (OCM) web console. All machine APIs are managed externally through the ROSA CLI or OCM as MachinePool objects. Node API resources are still available in-cluster, including the ability to label and taint existing nodes. OAuth components are also no longer exposed internally within the cluster.
The AWS policy permission set utilizes AWS approved and published managed policies, thus reducing the complexity for prerequisites and increasing the security by enabling tag-based permission enforcement. And the separation between control plane and worker node upgrades enables a consistent and security-focused control plane upgrade cadence without impact to worker nodes.
Developers can spend more time developing and testing applications, instead of waiting for a cluster or infrastructure to be ready. They can roll out applications to only a single availability zone (AZ), two AZs, or all the AZs in a region without having to be concerned with the availability of the control plane. It is always distributed over multiple availability zones. As well, developers can rapidly provision a dedicated and isolated control plane for each cluster, and this can be optionally made available publicly or exposed privately through a dedicated AWS PrivateLink endpoint in their AWS VPC.
Hosted control planes provide a better benefit at scale. They remove the requirement of hosting the control plane components alongside every individual cluster. For smaller clusters with fewer nodes, the benefit of this Red Hat OpenShift architecture isn't as pronounced, but the reduction of dedicated control plane nodes from the infrastructure costs for every cluster provides for big cloud savings.
The bottom line on hosted control planes
Hosted control planes provide better cost, faster provisioning time, and security optimizations for managing your workloads. As a result, they are well suited for many use cases, such as:
- Hosting clusters with specific characteristics.
- Workload tiering.
- Flexible upgrades (control planes can be upgraded independently of workers).
Next steps
Go beyond the basics of hosted control planes by learning how to create clusters using ROSA with hosted control planes.