<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:cc="http://cyber.law.harvard.edu/rss/creativeCommonsRssModule.html">
    <channel>
        <title><![CDATA[Stories by KusionStack on Medium]]></title>
        <description><![CDATA[Stories by KusionStack on Medium]]></description>
        <link>https://medium.com/@kusionstack?source=rss-aebb5f8bf4ad------2</link>
        <image>
            <url>https://cdn-images-1.medium.com/fit/c/150/150/1*01EKocTpSlxpytDItu9Frw.png</url>
            <title>Stories by KusionStack on Medium</title>
            <link>https://medium.com/@kusionstack?source=rss-aebb5f8bf4ad------2</link>
        </image>
        <generator>Medium</generator>
        <lastBuildDate>Tue, 07 Jul 2026 07:04:00 GMT</lastBuildDate>
        <atom:link href="https://medium.com/@kusionstack/feed" rel="self" type="application/rss+xml"/>
        <webMaster><![CDATA[yourfriends@medium.com]]></webMaster>
        <atom:link href="http://medium.superfeedr.com" rel="hub"/>
        <item>
            <title><![CDATA[KusionStack & KCL 2024 Annual Report]]></title>
            <link>https://medium.com/@kusionstack/kusionstack-kcl-2024-annual-report-89ad2a1fe2a7?source=rss-aebb5f8bf4ad------2</link>
            <guid isPermaLink="false">https://medium.com/p/89ad2a1fe2a7</guid>
            <dc:creator><![CDATA[KusionStack]]></dc:creator>
            <pubDate>Tue, 28 Jan 2025 16:58:24 GMT</pubDate>
            <atom:updated>2025-01-28T16:58:24.313Z</atom:updated>
            <content:encoded><![CDATA[<p>As we bid farewell to the old and welcome the new year, we are pleased to announce the release of KusionStack &amp; KCL 2024 Annual Report. 2024 has been a pivotal one for KusionStack &amp; KCL, we made significant progress across multiple fronts, for the new year, we look forward to more changes and developments. Here are some key parts of our annual report.</p><p>First of all, the key metrics of growth:</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*RNoai8CYfp7Mjpkp3KpEgA.png" /></figure><p>the key milestones of 2024:</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*k308dzuWnrZ9w519sO9PzQ.png" /></figure><p>and part of our global wide enterprise users:</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*JlMJLkAecfC5wLmCrse2Zg.png" /></figure><p>For more detailed annual report, please visit our online <a href="https://2024-annual-report.vercel.app/">vercel app</a>, the last but not the least, Happy Chinese New Year to everyone, wish you happy and healthy !</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*aI-PLsLU9fV0Ba3YwZYlYA.png" /></figure><img src="https://medium.com/_/stat?event=post.clientViewed&referrerSource=full_rss&postId=89ad2a1fe2a7" width="1" height="1" alt="">]]></content:encoded>
        </item>
        <item>
            <title><![CDATA[Configuration Management at Ant Group: Generated Manifest & Immutable Desired State]]></title>
            <link>https://medium.com/@kusionstack/configuration-management-at-ant-group-generated-manifest-immutable-desired-state-3c50e363a3fb?source=rss-aebb5f8bf4ad------2</link>
            <guid isPermaLink="false">https://medium.com/p/3c50e363a3fb</guid>
            <category><![CDATA[cloud-computing]]></category>
            <category><![CDATA[case-study]]></category>
            <category><![CDATA[kubernetes]]></category>
            <category><![CDATA[configuration-management]]></category>
            <category><![CDATA[devops]]></category>
            <dc:creator><![CDATA[KusionStack]]></dc:creator>
            <pubDate>Tue, 21 Jan 2025 13:02:06 GMT</pubDate>
            <atom:updated>2025-01-22T02:57:57.267Z</atom:updated>
            <content:encoded><![CDATA[<figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*pOnyjzIUkuEnqpuO.png" /><figcaption>Ant Group owns Alipay, the largest payment platform in China with over a billion users.</figcaption></figure><h3>Introduction</h3><p>Configuration Management and Configuration-as-Code(CaC) are pivotal concepts in modern software development. At <a href="https://www.antgroup.com/en">Ant Group</a>, as the product development and operations scale, and business portfolio diversifies, the demands for rapid iteration and stringent regulatory compliance present substantial challenges to effective configuration management.</p><p>This series of articles is dedicated to exploring the intricacies of configuration management at Ant Group, walking through challenges and solutions in detail, discussing architectures, proposing best practices that have proven effective in production at massive scale, and looking ahead into the future of configuration management.</p><p>In this first article, we will examine the specific challenges we encountered over the years, the strategies we devised to address them, and the resulting patterns that have emerged as what we believe to be best practices — <strong>Generated Manifest &amp; Immutable Desired State</strong>. Through this exploration, we aim to provide valuable insights and practical guidance for navigating the complexities of configuration management in a dynamic and highly regulated environment.</p><h3>Challenges &amp; solutions</h3><h4>1. Infrastructure Complexity</h4><p>Infrastructure complexity is the elephant in the room for any modern-day software deployments.</p><p>The inherent intricacy of the <a href="https://github.com/kubernetes/kubernetes">Kubernetes</a> ecosystem is a reality that developers face from Day 1 and continues to evolve as the product matures. Ant Group runs over 90% of the workload on Kubernetes, which means this complexity is passively falling upon all the developers. This complexity is compounded by the myriad of operational considerations, including the cross-region or multi-cluster setups, resource allocations, networking configurations and such, all of which demand considerable amount of attention.</p><p>Applications today also often needs to connect to a variety of non-Kubernetes services, such as managed databases, message queues, and cloud storage, etc. New features are also continously getting added by the infrastructure providers, but this means that developers must commit to continuously learning and adapting to keep up with the pace. This results in massive cognitive loads on the developers.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*J6wllhA_Cvj2x9gS.png" /><figcaption>Infrastructure Complexity is horrifying. Source: David Bell</figcaption></figure><h4>Abstractions, Models &amp; DSLs</h4><p>As software engineers, abstraction is a natural response that comes to mind. We introduced an abstraction layer and a dedicated DSL to do so. <a href="https://www.kcl-lang.io/">KCL(Kubernetes Configuration Language)</a> was born. Instead of writing static Kubernetes YAMLs that are both weakly-typed and complicated, we encourage our developers to use a strongly-typed DSL with semantic validation, structs and inheritance, constraint definitions, conditional statements, functions and such.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*B46dK81T2Y-LSnRL" /><figcaption>A sample KCL Schema Definition with Validation</figcaption></figure><p>With abstractions, we have defined a top level model named <a href="https://github.com/KusionStack/kam/blob/main/v1/app_configuration.k">AppConfiguration</a>. It covers all of the resources an application needs to run. Both Kubernetes and Non-Kubernetes resources are included in the same set of application configurations to ensure uniformity and minimize developer’s burden to understand every little detail of infrastructure. But that creates new problems.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*hK-kg3TrRVfvpjyw.png" /><figcaption>An instance of AppConfiguration</figcaption></figure><h4>2. Mismatched Rights and Obligations &amp; Platform Orchestrator</h4><p>The resulting configuration is made of both Kubernetes and non-Kubernetes resources, which means it controls both application workload (where application code runs) itself, and its environment-specific, cloud-specific, dependent infrastructures. One of the infamous side effect with Infrastructure-As-Code is its scary blast radius, especially when some of the infrastructure could be serving more than just a single application.</p><p>As an application developer, these infrastructure settings might just be the least they want to worry about. Developers are not familiar with them, yet they will have to be held accountable for the adequacy of their configurations. This is undeniably horrifying experience and afflicts countless confusion and suffering to the application developers.</p><p>Take sidecar as an example, the platform could have provided an abstraction for provisioning a sidecar container, but most developers won’t know or even care whether their application should have one. Alternatively, it could even be a security mandate to use one. In these cases, developers are forced upon the accountability to maintain such a sidecar configuration as part of the AppConfiguration model, and subsequently responsible for its entire lifecycle.</p><h4>Separation of concerns</h4><p>Our solution to this is <strong>separation of concerns</strong>. In modern day software architecture, you can’t expect one person to know everything about every corner case of every infrastructure. The launch of an application generally involves a number of systems, platforms and infrastructures, each backed with different teams or organizations. Different parties may carry different intents on how to provision resources, without a single person knowing all of them. This is the very source for the proliferation and complexity in application configuration management. But the need for these diverse infrastructures is real. The need for inputs from multiple roles in an organization is real. So we need a way to break down the application configurations into smaller pieces so each role can only care about what they <strong>NEED</strong> to care about.</p><p>The infrastructure teams may have the knowledge on the infrastructure they manage, but not in the application itself (i.e. how do they want to use the infrastructure). The application team goes the other way around. A gap therefore emerges. The reconciliation needs to happen somewhere in the workflow. In most <strong>Platform-As-A-Service</strong> pattern, this is when we see developers consistently talking to infrastructure or platform teams and trying to figure out what those configurations mean and what they do.</p><p>The problem is, in a lot of the times, this interaction is extremely <strong>people-driven</strong>. Or in other words, you’ll have to find “<strong>THE</strong> <strong>right person</strong>” and expect them to be familiar with the exact context you need. Not only is this a counterproductive and repetitive effort, the resulting knowledge in most of the time cannot be effectively documented or codified for future iterations and success. This is what we consider an ineffective, people-driven collaboration pattern, which we wish to pivot to a <strong>protocol-driven</strong> one, where no one gets blocked when this key person inevitably takes a two-week vacation in Hawaii.</p><h4>Platform Engineers &amp; A proliferation of viewpoints</h4><p>What we also see going on in the industry and with the Platform Engineering evolution is the emergence of “<strong>Platform Engineers</strong>”, how it’s distinct from the “<strong>Application Developers</strong>”, and how they will be in charge of managing things that “Application Developers” don’t. In an ideal world, “Application Developers” are in charge of implementing the business logic, while “Platform Engineers” cover the rest, including those that make the business logic run and last. Another observations we made when we practiced separation of concerns is that we often discovered multiple roles underneath this hat of “Platform Engineers”, like compliance, security, network engineers, etc. And in some cases, one can be in multiple roles. Each role will have their own perspective when expressing intents.</p><p>What we have decided the key to the problem is this mismatch between rights and obligations, between “What one actually cares about” and “What one should care about”. The key is NOT identifying those fields that change more frequently than others, or to exhaust all the possible abstractions. The key is to provide a mechanism that allows engineers in different roles to each express their share of the intents, both environment-agnostic and environment-specific ones, and a golden path for them to do so.</p><p>Hence, the need for a <a href="https://github.com/KusionStack/kusion"><strong>Platform Orchestrator</strong></a><strong> </strong>was identified. The Platform Orchestrator is a system designed to capture and “orchestrate” intents from different viewpoints, and connecting them with different infrastructures. It serves as the glue for different intents throughout the software development lifecycle, from deployment to monitoring and operations, ensuring that users’ intentions can seamlessly integrate and flow across different environments and infrastructures.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*JatHOyoh0eFzOQPagkzuzA.png" /><figcaption>How the simplest Platform Orchestrator work</figcaption></figure><h4>3. Massive scaling &amp; Dynamic Configuration Management</h4><p>Again that doesn’t solve all the problems. Scaling, for one, poses significant challenges when we tried to roll out the new paradigm.</p><p>Based on the idea of separation of concerns, we can split the configurations into smaller pieces based on roles and “merge” them into a complete one all we want. In reality, applications usually needs to be deployed to multiple clouds, sites, regions, tenants, datacenters, environments, or in some cases, even smaller units of deployment. They may share 90% of the configurations, but the other 10% could be entirely different, namely environment variables, or database sizes, or container images for example. In Ant Group, there are 16 combinations of these different layers that may have different configurations from one another.</p><p>From the perspective of configuration management and keeping your configurations DRY (Don’t Repeat Yourself), it would be a terrible idea to copy a set of configurations for each possible deployment targets. Rather, if you think the likes of Helm or Kustomize, what we are proposing here is a similar pattern where the final resource manifests are dynamically rendered from a series of inputs and some rendering logic. The difference being:</p><ol><li>The manifest will cover non-Kubernetes resources so it would be application-scoped, rather than only Kubernetes-resource-scoped. This manifest will serve as the single source of truth for all the resources needed (and we have a plan for not just resources in the future) to idempotently pull up an application at any time or from the ground up.</li><li>The rendering logic are written in a General Programming Language rather than a templating language to support rather complex logic. We knew we need this when parts of the resource specifications need to be retrieved dynamically from a centralized location, for example a CMDB. This is actually a pretty common case in our practice.</li></ol><h4>Generated Manifests — Specs</h4><p><strong>In comes the </strong><a href="https://www.kusionstack.io/docs/next/concepts/spec"><strong>Specs</strong></a><strong>. </strong>The spec is a system-generated, immutable, declarative representation of the resources involved in a particular deployment. As opposed to the static configurations that are stored in a Git repository, which may or may not be scoped to a given deploy target, a spec is dynamically rendered from the aggregated intents from multiple sources, including those that are target-specific, and those aren’t (e.g. global configs, constraints posed by security, compliance and so on, for example what kind of application may have Internet access). Specs are resource-facing desired states and are always rendered on the spot based on all the relevant inputs.</p><p>The <strong>Specs</strong> are designed to be <strong>THE</strong> intermediate data layer between configuration code and actual resources. It is designed to be a structured data format that is both machine-friendly (so that we can use the proper libraries to process and actualize them) and human-friendly (so that it provides a readable reference to the resource perspective of an application). In this workflow, the component that processes the resources in the Spec is called a <strong>Runtime</strong>. Runtimes are in charge of bridging the resource specification to the actual infrastructure API. For Kubernetes resources, its runtime uses client-go to connect to the clusters. For the cloud resources, we are using IAC tools like Terraform/Crossplane and their providers to connect to the cloud control APIs. Runtimes are also extensible.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*Hiqo6GMEMqwTFhss.png" /><figcaption>The flow from intents to reality</figcaption></figure><p>The rendering logic in this case are produced by “Generators”, which are pieces of code written and distributed in Go. Generators are in charge of converting configuration code written in KCL into resource specifications in the Spec. They are packaged and wrapped inside a GRPC server whose lifecycle are dynamically managed as individual go-plugins.</p><p>Once a Spec is generated for a given application deployment, it is considered THE immutable source of truth for its resources. You can think of it like an artifact of the configuration code, similar to a JAR file built from the Java source code. If anything in the configuration is changed, a new Spec shall be re-generated when a new deployment happens. Similar to that of an artifact, we also opt for proper version control for audit purposes and potential rollbacks.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*5Cjhdbq229jetGia.png" /><figcaption>Sample of A Dynamically-Generated Spec</figcaption></figure><h4>Intents Grid &amp; Deployment-Specific Constraints</h4><p>Now back to scaling. Remember in the beginning when we talked about how there may be a proliferation of layers of different configurations based on deployment targets, and a proliferation of roles that are individually responsible for a different set of infrastructures, each needs to express their intents on deployments. This forms a so-called “Intents Grid”.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*rdTPX0KY-yokk8IY.png" /><figcaption>A sparse Intents Grid</figcaption></figure><p>Splitting the grid vertically are the different roles and viewpoints from infrastructures that form the actual runtime environment for an application. Each infrastructure viewpoint may raise certain constraints or have opinionated defaults that may affect the outcome resources. For example, the storage team requires the use of standard-tier S3, or the security team mandates Customer-Managed-Keys for data-at-rest encryption in production environments. Horizontally diving the grid are the physical or logical deployment targets for an application. Together they form a grid that captures the operational intents from all the possible sources into a set of deployment-specific constraints. In the prior S3 example, when application team declares “my application needs 50 Gigs of object storage”, and when this application is deployed to production in us-east-1 region on AWS, the final resource generated will be a <strong>standard-tier S3 with 50 Gigs size, CMK enabled in the us-east-1 region</strong>.</p><p>Note that this may generally be a sparse grid, where not every single intersection represent an existing intent. But by collecting all the intents on this grid, we form a finalized, orchestrated intent that encapsulates the input from all the relevant platform perspectives. Combine it with the application developer’s input, they are fed into the generators to produce the resource-facing manifest, aka. the <strong>Spec</strong>.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*tjHnq6yhSgm_5LEH.png" /><figcaption>A Sample End-To-End Flow</figcaption></figure><h4>4. The need for an open platform</h4><p>Up until here, it’s very likely that we will end up with a highly-bespoke system if the platform team holds the key to all the rendering logic. In fact we have unsurprisingly been in this exact situation where the platform team becomes the bottleneck and the system gradually turns into a black box over time to the application teams. The need for new infrastructures is always expanding and it’s evolving fast in a growing organization, which calls for a mechanism to build and sustain an ecosystem upon an open platform, where everyone can come in and define their own rendering logic. This founds familiar isn’t it?</p><p>Naturally, the solution to enable Bring-Your-Own-Logic is to make them out-of-tree. So we’ve introduced the concept of a “<a href="https://www.kusionstack.io/docs/next/concepts/module/overview">Kusion Module</a>”. Each is made of two things:</p><ul><li>A user friendly schema (written in DSL) that is consumed directly by the developers</li><li>The rendering logic (written in GPL) that takes all the end-user inputs, mix them with opinionated platform defaults, and produce the resource-facing Spec</li></ul><p>We encourage Platform Engineers to produce modules as needed and we are providing the frameworks to do so. A Generator interface requires a Generate() method that takes in a GeneratorRequest and returns a GeneratorResponse with the generated resources, both are types that is defined by the standardized <a href="https://github.com/KusionStack/kusion-module-framework">Kusion Module Framework</a>.</p><h3>Best Practices</h3><p>To summarize, what we are proposing and ending up with is a pattern that involves the following:</p><ol><li><strong>Expressing Intents:</strong> The end users will express their intents and write configurations in user-friendly DSLs. This includes more than just the application developers, but also those that are setting the platform or environment-wide standards, for example, security engineers, network engineers, or DBAs, each having their own perspectives on what needs to be configured on the application infrastructures.</li><li><strong>Dynamically Assemble Configurations</strong>: These configurations will then be put together dynamically in a “reasonable” way. For example, a security engineer defines the minimum TLS version to be 1.2 when the application is using databases. This gets combined with the application developers’ need for a database (among others) into what we call a <strong>Final Intent</strong>.</li><li><strong>Handle Final Intent:</strong> The “final intent” then gets feed into the module generators, which will then transform the “final intent” into a resource-facing data format. <strong>Generators</strong> are written in General Programming Languages and can contain complex logic, including fetching data from other sources like a CMDB.</li><li><strong>Generate Immutable Specs</strong>: This “<strong>Generated Manifest</strong>” is considered to be THE immutable, declarative desired state to a given application deployment. It serves as the Single Source Of Truth for the application resources. Should anything go wrong in a future release, it can be used to roll back to this specific version of resources that stay exactly the same as it was (There could be new problems, we will raise them as a question at the end).</li><li><strong>Extensible Runtimes</strong>: Between the Spec and the actual resource APIs are <strong>Runtimes</strong>. They can be considered the “top-level SDKs” that take resources in the Spec as input, connect with the underlying infrastructure provider, and manage the lifecycle of said resources via their current and desired states. In the case of Kubernetes resources, the runtime is built on top of client-go. For Terraform resources, it’s on top of the Terraform CLI. While this pattern works well with public cloud providers, in the case of on-premise infrastructures, this will require a certain level of automation and maturity from the infrastructure service providers that enables resource lifecycle management via robust CRUDL APIs.</li></ol><h3>Open Discussions &amp; Up Next</h3><p>In the concluding section, we will pose a question (on closure, no pun intended 😝) instead:</p><p>In our previous assumptions, we considered the Spec as the SSOT (single-source-of-truth) for resources. Our expectation for the configuration management workflow is that it should possess the property of <strong>closure — </strong>that is, the same <strong>Configuration Code</strong> give to the same version of the <a href="https://github.com/KusionStack/kusion">Kusion</a> Module <strong>Generators</strong> should produce the same <strong>Spec</strong>. Similarly, the same <strong>Spec</strong> given to the same version of the <strong>Runtime</strong> and infrastructure should ideally produce the same set of <strong>Resources</strong> idempotently.</p><p>But this property of closure is not guaranteed. Without it, “perfect” rollbacks are hard to achieve. Even with Generators remain the same, they could be retrieving data from external sources. If an external data source, such as a CMDB changes, the generated Spec will also change. Likewise, if the version of the infrastructure API changes (for instance, if a parameter changes), the behavior of rolling back resources with the same Spec is also unpredictable. <strong>In this scenario, what can truly be considered the Single Source Of Truth?</strong></p><p>In the next article, we will delve into the large-scale dynamic configuration management and its implementation practice at Ant Group, providing a more detailed introduction to the relevant technologies and architecture.</p><p>Stay tuned!</p><img src="https://medium.com/_/stat?event=post.clientViewed&referrerSource=full_rss&postId=3c50e363a3fb" width="1" height="1" alt="">]]></content:encoded>
        </item>
        <item>
            <title><![CDATA[KusionStack joins the CNCF Sandbox!]]></title>
            <link>https://medium.com/@kusionstack/kusionstack-joins-the-cncf-sandbox-b03fc8500978?source=rss-aebb5f8bf4ad------2</link>
            <guid isPermaLink="false">https://medium.com/p/b03fc8500978</guid>
            <category><![CDATA[software-development]]></category>
            <category><![CDATA[cloud-computing]]></category>
            <category><![CDATA[open-source]]></category>
            <category><![CDATA[platform]]></category>
            <category><![CDATA[kubernetes]]></category>
            <dc:creator><![CDATA[KusionStack]]></dc:creator>
            <pubDate>Mon, 30 Dec 2024 13:32:34 GMT</pubDate>
            <atom:updated>2024-12-30T13:32:34.895Z</atom:updated>
            <content:encoded><![CDATA[<figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*MVyDZt6Em-q8z3dC" /></figure><p>With the holiday season approaching, we have wonderful news to share.</p><p>We are thrilled to announce that <a href="https://github.com/KusionStack">KusionStack</a> has joined the Cloud Native Computing Foundation (CNCF) as a Sandbox Project following a vote by the Technical Oversight Committee (TOC) in Q4 2024. We would like to extend our heartfelt gratitude to all the CNCF staff involved for the invaluable guidance throughout the process, and to our community and the team for the overwhelming support that made this happen.</p><h3>What is KusionStack? A Brief History</h3><p>KusionStack was first incubated at Ant Group in 2020 as an Infrastructure-As-Code tool, accompanied by KCL, designed to simplify and standardize cloud-native resource management. Throughout the years, with the concept of Platform Engineering emerging, KusionStack has growed into a loosely-coupled Platform Engineering toolkit, intend to empower platform teams altogether in developing enterprise grade, production-ready, self-service-able <a href="https://internaldeveloperplatform.org/">Internal Developer Platforms</a> (IDPs).</p><p>KusionStack provides a comprehensive set of modular components that teams can use to build every layer of their IDPs. These components are both composable and programmable, offering the flexibility to use them as a complete platform solution or to integrate specific elements into your existing IDPs through extensive APIs. Whether you’re building from the ground up or enhancing what you have, KusionStack offers the tools to simplify the process.</p><ul><li><a href="https://github.com/KusionStack/kusion">Kusion</a> — A Platform Orchestrator that “orchestrates” codified intents from multiple parts of an organization, and connects with heterogeneous infrastructures to substantially improve application delivery experience</li><li><a href="https://github.com/KusionStack/karpor">Karpor</a> — A data visualization tool for Kubernetes that provides multi-cluster search, insight, and AI-powered data intelligence that enables interactions with clusters via natural language</li><li><a href="https://github.com/KusionStack/operating">Kuperator</a> — A set of Kubernetes controller extensions that provides more complete workload lifecycle management, traffic management, progressive rollouts, and better observability</li><li>More to come in 2025…</li></ul><h3>Intended scope for KusionStack</h3><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*fBPPlmrq3D34vzQz.png" /></figure><h3>Looking forward…</h3><p>Being an incredible honor and a major milestone as it is, this is a new beginning for the <a href="https://github.com/KusionStack">KusionStack</a> community. We have great plans for 2025 and beyond. We believe Platform Engineering is a multi-year journey to fundamentally transform the way software engineering organizations build and manage their technologies.</p><p>It will be a journey filled with challenges, but we have every confidence in the world we can navigate through, thanks to having such an amazing community. We are very excited about the opportunities to be part of the force that advances cloud-native technologies.</p><p><strong>We wish see you along the way!</strong></p><img src="https://medium.com/_/stat?event=post.clientViewed&referrerSource=full_rss&postId=b03fc8500978" width="1" height="1" alt="">]]></content:encoded>
        </item>
        <item>
            <title><![CDATA[Karpor v0.5.0 Released — A More Secure and User-Friendly Kubernetes Data Plane]]></title>
            <link>https://medium.com/@kusionstack/karpor-v0-5-0-released-a-more-secure-and-user-friendly-kubernetes-data-plane-07d231b65938?source=rss-aebb5f8bf4ad------2</link>
            <guid isPermaLink="false">https://medium.com/p/07d231b65938</guid>
            <category><![CDATA[cloud-native]]></category>
            <category><![CDATA[kubernetes]]></category>
            <category><![CDATA[platform-engineering]]></category>
            <category><![CDATA[multi-cluster]]></category>
            <dc:creator><![CDATA[KusionStack]]></dc:creator>
            <pubDate>Wed, 06 Nov 2024 13:02:02 GMT</pubDate>
            <atom:updated>2024-11-06T13:02:02.997Z</atom:updated>
            <content:encoded><![CDATA[<h3><strong>Karpor v0.5.0 Released - A More Secure and User-Friendly Kubernetes Data Plane, Thanks to the Community!</strong></h3><figure><img alt="" src="https://cdn-images-1.medium.com/max/902/1*hqmYR2UlEFy7wF-u1dXxcg.png" /><figcaption>Karpor v0.5.0 Released!</figcaption></figure><p>The KusionStack team is delighted to announce that <strong>Karpor v0.5.0</strong> release is now available! This update brings four major highlights for users:</p><ul><li><strong>Upgraded Multi-Cluster Management Capabilities</strong>: Added support to import AWS EKS clusters and cluster certificates based on Tokens, providing a more flexible cluster management experience.</li><li><strong>Enhanced Security</strong>: Introduced a new Token-based login mechanism with RBAC(Role-Based Access Control) support, effectively tightening access to better secure the production environments.</li><li><strong>Optimized Installation</strong>: Provided over 30 Helm parameters during installation, fully supporting custom image repositories and arm64 architecture, making on-prem and private deployment scenarios more convenient.</li><li><strong>Improved User Experience</strong>: Newly supported features such as intelligent YAML folding, cluster health checks and version management, delivering a smoother user experience.</li></ul><p><strong>Karpor</strong>, as a sub-project of the KusionStack (part of the CNCF Sandbox) ecosystem, is dedicated to building an intelligent Kubernetes data plane. By providing <strong>advanced search</strong>, <strong>insights</strong>, and <strong>AI capabilities</strong>, it helps users gain critical visibility into their Kubernetes clusters in any cloud environment. We aspire to become a small yet beautiful, vendor-neutral, developer-friendly, and community-driven open-source project!</p><ul><li>Github Repo: <a href="https://github.com/KusionStack/karpor">https://github.com/KusionStack/karpor</a></li><li>Website: <a href="https://www.kusionstack.io/karpor">https://www.kusionstack.io/karpor</a></li><li>Live Demo: <a href="https://karpor-demo.kusionstack.io/">https://karpor-demo.kusionstack.io</a></li></ul><p>This update includes contributions from 12 contributors across 58 PRs, including 14 significant new features and 7 bug fixes. For detailed update information, please refer to the Karpor v0.5.0 Release Notes.</p><h3>❤️ Special Thanks</h3><p>We would like to extend our special thanks to the 9 new code contributors (in alphabetical order):</p><p><strong>@CirillaQL、@cheny-alf、@JasonHe-WQ、@mryanchia、@peter-wangxu、@rajeshkio、@regend、@solarhell、@z1cheng</strong></p><p>We also want to thank the following community members for their valuable suggestions (in alphabetical order):</p><p><strong>@arrowfeng、@danielstankw、@Edwin-Li-01、@eryajf、@haiwu、@kinbod、@T1-leiyang、@wenxuanwu、@ywgx</strong></p><p>Thank you all for your contribution to the development of Karpor 🎉, we are delightedly shocked by the power of the community!</p><p>Welcome to claim the task in “Community Tasks” and participate in the community!</p><p>Link: <a href="https://github.com/KusionStack/karpor/issues/463"><strong>Community Tasks</strong></a></p><figure><img alt="Community Tasks" src="https://cdn-images-1.medium.com/max/1024/0*HoSgaJSNsp-ZdfXd" /><figcaption>Community Tasks</figcaption></figure><h3>🚀 Important New Features</h3><h4><strong>Cluster Management Upgrades</strong></h4><p>1. <strong>Support for Token-based Kubeconfig Import</strong><br> Contributed by @peter-wangxu, this feature provides a more flexible way to access clusters.</p><p>2. <strong>AWS EKS Cluster Support</strong><br> Contributed by @CirillaQL, you can now access the EKS cluster directly using AWS ACCESS_KEY and SECRET_ACCESS_KEY. For detailed configuration instructions, please refer to the EKS Cluster Access Guide.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*SEStS3NBORcgnXj5" /><figcaption>Managed EKS cluster</figcaption></figure><h4><strong>Security Enhancements</strong></h4><p><strong>1.Token Login Based on RBAC</strong><br>Contributed by @ruquanzhao and @hai-tian, this feature supports logging into the Dashboard using a Token issued by Karpor-server. For more details, please refer to the Token Creation Guide.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*R8VgD37ZgLPsOPcdbs4Mtw.png" /><figcaption>authentication page</figcaption></figure><h4><strong>Deployment Optimization</strong></h4><ol><li><strong>More flexible Helm configuration (</strong>@elliotxx)</li></ol><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*mbQm2jtFUW4fT3GTFVTL4g.png" /></figure><p>2. <strong>arm64 architecture support(</strong>@elliotxx)</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*ihGS_Pnae3TmonyOSdNfPQ.png" /></figure><p>3. <strong>Cert-manager Optimization (</strong>@elliotxx) <br>Migrating Cert-manager into the image solved the issue of slow installation in certain network environments.</p><h4><strong>Experience Improvement</strong></h4><ol><li><strong>Health Check API (</strong>@JasonHe-WQ)<br> Added /livez and /readyz health check APIs.</li><li><strong>YAML Display Optimization (</strong>@regend)<br> Automatically collapse non-critical YAML fields in the Dashboard to improve readability.</li></ol><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*ip9HOzX9WNFNz7YEZKZZXQ.png" /><figcaption>YAML Folding</figcaption></figure><p>3. <strong>Version Information Display</strong></p><ul><li>Cli supports --version parameter (@rajeshkio)</li><li>Automatic version number generation (@rajeshkio)</li><li>Version display on the Dashboard interface (@solarhell）</li></ul><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*wCrPECUi0vY89nArQMqlJw.png" /><figcaption>Version number display</figcaption></figure><p>4. <strong>UI customization </strong>(@z1cheng) <br> Support configuration for displaying and hiding the GitHub icon.</p><h3>🔧 Bug Fix</h3><p>1. README video encoding optimization (@ruquanzhao)<br>2. Namespace addition to Cert-generator template (@elliotxx)<br>3. REST API response improvement (@elliotxx)<br>4. Fix for Syncer Transform Patch function (@iamryanchia)<br>5. Enhancement of Transform error logging (@iamryanchia)<br>6. Correction of Swagger path (@regend)<br>7. Fix for Hub Cluster Config Endpoint (@elliotxx)</p><h3>📈 Future Plan</h3><p>The v0.5.0 release primarily focuses on optimizing features based on feedback from the community users. Enthusiastic users have already tried Karpor in their internal corporate environments to address the needs of multi-cluster management and data plane requirements.</p><p>We have now started planning for the v0.6.0 version, which will enhance <strong>usability and AI integrations</strong>. For example:</p><ul><li>AI-based Kubernetes troubleshooting (similar to K8SGPT)</li><li>Natural language resource search</li><li>Display of real-time logs and event aggregations</li><li>More features to come…</li></ul><p>Please refer to the detailed milestone for more information. [<a href="https://github.com/KusionStack/karpor/milestone/5">v0.6 Milestone</a>]</p><p>Feel free to bring your suggestions to the [<a href="https://github.com/KusionStack/karpor/discussions/624">Karpor v0.6.0 discussion</a>] or submit an Issue on [<a href="https://github.com/KusionStack/karpor/issues">GitHub</a>].</p><p><strong>🔎 Feature Preview</strong></p><p>Searching for Kubernetes resources via natural language (developed by @jueli12 and @hai-tian) has entered the optimization phase and will be officially released in v0.6.0, stay tuned!</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*1ee5oitpqRXaH7Tgsi3F_Q.png" /><figcaption>Search Kubernetes resources via natural language</figcaption></figure><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*8ip1ef4pL-kvjt4dE7W8dA.png" /><figcaption>LLM-driven SQL generation</figcaption></figure><img src="https://medium.com/_/stat?event=post.clientViewed&referrerSource=full_rss&postId=07d231b65938" width="1" height="1" alt="">]]></content:encoded>
        </item>
        <item>
            <title><![CDATA[Kusion v0.13.0 Release: Enhanced CLI Features and AI Application Support!]]></title>
            <link>https://medium.com/@kusionstack/kusion-v0-13-0-release-enhanced-cli-features-and-ai-application-support-2d213b0d052a?source=rss-aebb5f8bf4ad------2</link>
            <guid isPermaLink="false">https://medium.com/p/2d213b0d052a</guid>
            <category><![CDATA[platform-engineering]]></category>
            <category><![CDATA[cloud-native]]></category>
            <category><![CDATA[kubernetes]]></category>
            <category><![CDATA[open-source]]></category>
            <category><![CDATA[kusionstack]]></category>
            <dc:creator><![CDATA[KusionStack]]></dc:creator>
            <pubDate>Mon, 30 Sep 2024 08:45:22 GMT</pubDate>
            <atom:updated>2024-09-30T08:45:22.832Z</atom:updated>
            <content:encoded><![CDATA[<p>We are happy to announce that the Kusion v0.13.0 Release has been published! We have summed up over 14 new features, 9 bug fixes, and 13 documentation updates with 4 new contributors!</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*yj6DHo3eRDSC9iSjb_BmEg.png" /><figcaption>KusionStack Mascot is here to introduce the new features of Kusion v0.13.0</figcaption></figure><p>As always, we are grateful to the growing KusionStack community for their invaluable contributions, which helped us reach this remarkable milestone. In this post, you will discover some of the exciting new features, selected based on our strong belief in their potential to enhance the user experience of Kusion.</p><h4>Kusion Release Command</h4><p>In v0.13.0 , we have introduced a new command, kusion release , which allows users to observe and update the status of Kusion Release files for the Project in a specified Workspace . This can help users understand the contents of the Release files after executing the kusion apply and kusion destroy commands. Additionally, in case of an unexpected interruption during applying and destroying applications, users can revise the locked status through the command for further operations.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*vubBPuBC6Vuva_tPRPMfyA.png" /><figcaption>kusion release command</figcaption></figure><p>The kusion release command includes the following 3 sub-commands.</p><ul><li>kusion release list lists all the Release files of the current Project in the specified Workspace</li><li>kusion release show shows the details of a Release file of the current or the specified Project</li><li>kusion release unlock unlocks the status of the latest Release file (applying &amp; destroying -&gt;failed) of the current or the specified Project</li></ul><h4>Kusion Resource Command</h4><p>We have also added the kusion resource command in v0.13.0 , which allows users to observe the information of Kusion Resources related to the applications after executing kusion apply or kusion destroy . This will include the actual infrastructural resource names corresponding to the Kusion Resources , the dependency resources of Workload , the IDs of the cloud resources, and the resources’ deployment statuses. The kusion resource command aims to provide application developers and platform engineers with all the infrastructural resource information and relationships corresponding to the config intent, helping users better manage the Day 1 operations.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*Pgvqy2VXCbpxm_-JSJ9LYQ.png" /><figcaption>kusion resource graph command</figcaption></figure><p>The kusion resource command includes the following sub-command.</p><ul><li>kusion resource graph displays a graph of all the resource information of the target Project and Workspace</li></ul><h4>Kusion Project List Command</h4><p>Additionally, we have implemented a useful feature in v0.13.0 , allowing users to list all the applied Projects in the target Backend and Workspace through the kusion project list command. This command supports specifying multiple Workspaces simultaneously.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/978/1*0ix5x8z0NTZQfgOQAN4yjw.png" /><figcaption>kusion project list command</figcaption></figure><h4>KCL-based Customized Health Check</h4><p>In previous versions, Kusion would by default to waiting for the reconciliation of kusion-supported Kubernetes resources, including some common resources like Namespace, Deployment, Job and Service during kusion apply . However, for the other resources such as Kubernetes CRD, Kusion could not effectively check their reconciliation status. In v0.13.0 , we support users adding KCL-based customized health check conditions for specified Kusion Resources in the Workspace configurations of a Kusion Module . Kusion will add these customized health check conditions to the Extensions field of the Kusion Resource upon Spec generation and use them to check whether a Kubernetes resource is successfully reconciled during kusion apply .</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*1n8igDp1s4iZowsYb6pMuQ.png" /><figcaption>kcl-based customized health check condition, here `res` represents the Kubernetes resource to reconcile, a reserved field for this feature</figcaption></figure><p>Besides declaring the customized health check conditions in the Workspace configurations of a Kusion Module , we also provide the SDK support in <a href="https://github.com/KusionStack/kusion-module-framework">kusion-module-framework</a>, helping platform engineers to add these health check conditions to the Extensions field of the generated Kusion Resources during the Module development.</p><h4>LLM Ops with Inference Module for AI Applications</h4><p>In the recent wave of Artificial Intelligence (AI), the Large Language Model (LLM) has been becoming a key factor in driving innovation and productivity. As the scale of the LLMs grows, the development and operations of these complex models are becoming increasingly challenging, leading many developers and companies to find more efficient ways to manage the large-scale and intricate AI models and applications.</p><p>Our KusionStack community members have provided a Kusion Module named Inference , aimed at simplifying the complexities of deploying and invoking the LLM inference service for the AI application developers, thus enhancing the efficiency of AI application deployment and operations.</p><pre>import kam.v1.app_configuration as ac<br>import service<br>import service.container as c<br>import inference.v1.inference<br>import network as n<br>​<br>inference: ac.AppConfiguration {<br>    # Declare the workload configurations. <br>    workload: service.Service {<br>        containers: {<br>            myct: c.Container {image: &quot;kangy126/app&quot;}<br>        }<br>        replicas: 1<br>    }<br>    # Declare the inference module configurations. <br>    accessories: {<br>        &quot;inference&quot;: inference.Inference {<br>            model: &quot;llama3&quot;<br>            framework: &quot;Ollama&quot;<br>        }<br>        &quot;network&quot;: n.Network {ports: [n.Port {<br>            port: 80<br>            targetPort: 5000<br>            public: True<br>        }]}<br>    }<br>}</pre><p>Above is the sample config codes with Inference module as an Accessory to provide LLM inference service for AI application, which declares the required config items for the Inference module, model and framework for the developers to select the types of LLM models and frameworks. And the AI application workload can call the corresponding inference service through the INFERENCE_URL environment variable injected by this module. For more details, please refer to the <a href="https://kusionstack.io/docs/user-guides/llm-ops/inferenc">user guides</a> of the Inference module.</p><h4>Bug Fixes</h4><ul><li>Fixed some bugs related to performing JSON Patch on Workload</li><li>Fixed some bugs of initializing Kubernetes and Terraform Runtime</li><li>Fixed some issues with updating Release files during kusion apply and kusion destroy</li><li>Fixed some bugs of not printing all the Kubernetes resources with multiple replicas while applying</li></ul><h4>Summary</h4><p>In this version, we have implemented some new commands of kusion release , kusion resource and kusion project list , helping users better observe and manage the application resources. In addition, we support the KCL-based customized health check for Kubernetes resources. And we provide the Inference module for AI applications to enjoy a more efficient LLM service deployment and integration. Aside from the ones mentioned above, there are tons of small improvements and changes in this release as well. You can find the full details in the <a href="https://github.com/KusionStack/kusion/releases/tag/v0.12.0">Release Note</a>.</p><blockquote><em>Welcome to our Github and leave some feedback! ⭐️</em></blockquote><blockquote><em>Github: </em><a href="https://github.com/KusionStack/kusion"><em>https://github.com/KusionStack/kusion</em></a></blockquote><blockquote><em>Website: </em><a href="https://kusionstack.io/"><em>https://kusionstack.io</em></a></blockquote><img src="https://medium.com/_/stat?event=post.clientViewed&referrerSource=full_rss&postId=2d213b0d052a" width="1" height="1" alt="">]]></content:encoded>
        </item>
        <item>
            <title><![CDATA[Applying Raw Kubernetes Manifest with Kusion]]></title>
            <link>https://medium.com/@kusionstack/applying-raw-kubernetes-manifest-with-kusion-87c49fc45a66?source=rss-aebb5f8bf4ad------2</link>
            <guid isPermaLink="false">https://medium.com/p/87c49fc45a66</guid>
            <category><![CDATA[cloud-native]]></category>
            <category><![CDATA[kusionstack]]></category>
            <category><![CDATA[open-source]]></category>
            <category><![CDATA[kubernetes]]></category>
            <category><![CDATA[platform-engineering]]></category>
            <dc:creator><![CDATA[KusionStack]]></dc:creator>
            <pubDate>Fri, 09 Aug 2024 10:05:51 GMT</pubDate>
            <atom:updated>2024-08-09T10:05:51.319Z</atom:updated>
            <content:encoded><![CDATA[<p>We have introduced <a href="https://www.kusionstack.io/docs/user-guides/working-with-k8s/deploy-application">many cases </a>of how to use Kusion CLI to complete the deployment of an application running on Kubernetes. And these examples all involve using the corresponding <strong>Kusion Module Generator</strong> to generate <a href="https://www.kusionstack.io/docs/concepts/spec">Spec</a> from the Workload and Accessories declared in the abstracted application model <a href="https://www.kusionstack.io/docs/concepts/app-configuration">AppConfiguration</a> with <strong>KCL</strong>. It is the usage we recommend, as it can achieve the separation of concerns between <strong>Developers </strong>and <strong>Platform Engineers</strong>, and thus reducing the cognitive burden on the developers.</p><p>However, in some specific scenario, users may also have the need to directly use Kusion CLI to apply the raw Kubernetes manifests, such as taking over some existing resources and deploying some special resources like <strong>CRD</strong>s (CustomResourceDefinition), benefitting from Kusion’s previewing resource diffs and managing the application <a href="https://www.kusionstack.io/docs/concepts/release">Releases</a> .</p><p>Hence, we are exciting to announce that, to help users directly apply raw K8s manifests, the KusionStack community has provided a <a href="https://www.kusionstack.io/docs/reference/modules/developer-schemas/k8s_manifest/">k8s_manifest</a> module.</p><blockquote>The module definition and implementation, as well as the example we are about to show can be found <a href="https://github.com/KusionStack/catalog/tree/main/modules/k8s_manifest">here</a>.</blockquote><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*eoIUoScqJ-_hwpw0toYdBw.png" /></figure><h3>Pre-requisites</h3><p>Please refer to the <a href="https://www.kusionstack.io/docs/user-guides/working-with-k8s/deploy-application#prerequisites">pre-requisites </a>in the guide for deploying an application with Kusion.</p><p>The example below also requires users to have initialized the project with the command of kusion workspace create , kusion project create , and kusion stack create , which will create a <a href="https://www.kusionstack.io/docs/concepts/workspace">workspace</a> and a <a href="https://www.kusionstack.io/docs/concepts/project/overview">project</a>, and also generate a <a href="https://www.kusionstack.io/docs/user-guides/working-with-k8s/deploy-application#kclmod">kcl.mod</a> file under the <a href="https://www.kusionstack.io/docs/concepts/stack/overview">stack</a> directory.</p><h3>Managing Workspace Configuration</h3><p>Steps to initialize a workspace with an empty configuration can be found at <a href="https://www.kusionstack.io/docs/user-guides/working-with-k8s/deploy-application#initializing-workspace-configuration">this document</a>. And the same empty configuration will still work in this guide, no changes are required here.</p><p>However, if you (or the platform team) would like to set some default paths for the raw K8s manifests to standardize the behavior of applications in the dev workspace, you can do so by updating the dev.yaml with the following config block:</p><pre>modules: <br>    k8s_manifest: <br>        path: oci://ghcr.io/kusionstack/k8s_manifest<br>        version: 0.1.0<br>        configs: <br>            default: <br>                # The default paths to apply for the raw K8s manifest YAML files. <br>                paths: <br>                    - /path/to/k8s_manifest.yaml<br>                    - /dir/to/k8s_manifest/</pre><p>Please note that the paths declared by the platform engineers in the workspace configs will be merged with the ones declared in the AppConfiguration in main.k .</p><p>The workspace configs need to be updated with the command:</p><pre>kusion workspace update dev -f dev.yaml</pre><h3>Example</h3><p>To apply the specified raw K8s manifests with k8s_manifest module, please use the v0.2.1 version of kam , whose workload is no longer a required field in the AppConfiguration model.</p><p>An example is shown below:</p><p>kcl.mod :</p><pre>[dependencies]<br>kam = { git = &quot;https://github.com/KusionStack/kam.git&quot;, tag = &quot;v0.2.1&quot; }<br>k8s_manifest = { oci = &quot;oci://ghcr.io/kusionstack/k8s_manifest&quot;, tag = &quot;0.1.0&quot; }</pre><p>stack.yaml :</p><pre># Generate a specified namespace <br>name: dev<br>extensions: <br>  - kind: kubernetesNamespace<br>    kubernetesNamespace: <br>      namespace: test</pre><p>main.k :</p><pre>import kam.v1.app_configuration as ac<br>import k8s_manifest<br><br>test: ac.AppConfiguration {<br>    accessories: {<br>        &quot;k8s_manifests&quot;: k8s_manifest.K8sManifest {<br>            paths: [<br>                # The `test.yaml` should be placed under the stack directory, <br>                # as it is declared using a relative path. <br>                &quot;./test.yaml&quot;<br>            ]<br>        }<br>    }<br>}</pre><p>test.yaml :</p><pre>apiVersion: apps/v1<br>kind: Deployment<br>metadata:<br>  name: nginx-deployment<br>  namespace: test<br>  labels:<br>    app: nginx<br>spec:<br>  replicas: 3<br>  selector:<br>    matchLabels:<br>      app: nginx<br>  template:<br>    metadata:<br>      labels:<br>        app: nginx<br>    spec:<br>      containers:<br>      - name: nginx<br>        image: nginx:1.14.2<br>        ports:<br>        - containerPort: 80</pre><h3>Generate Spec</h3><p>Execute the kusion generate command, the Deployment in the test.yaml will be generated into a Kusion Resource with a Kusion ID in the Spec .</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/820/1*RETuhjZVUfaeEmyNCVuM6g.png" /><figcaption>kusion generate result</figcaption></figure><h3>Preview and Apply</h3><p>Execute the kusion preview command, we can review the resource three-way diffs for a more secure deployment.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1006/1*BGDVuA9o3fswbEi1AM98YA.png" /><figcaption>kusion preview result</figcaption></figure><p>Execute the kusion apply command to deploy the K8s resources.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*XAJKsC_9bMMbYOHlvjv6TQ.png" /><figcaption>kusion apply result</figcaption></figure><img src="https://medium.com/_/stat?event=post.clientViewed&referrerSource=full_rss&postId=87c49fc45a66" width="1" height="1" alt="">]]></content:encoded>
        </item>
        <item>
            <title><![CDATA[Kusion v0.12.1 Release: Improve Comprehensive Capabilities and Optimize User Experience]]></title>
            <link>https://medium.com/@kusionstack/kusion-v0-12-1-release-improve-comprehensive-capabilities-and-optimize-user-experience-0375075d8fde?source=rss-aebb5f8bf4ad------2</link>
            <guid isPermaLink="false">https://medium.com/p/0375075d8fde</guid>
            <category><![CDATA[platform-engineering]]></category>
            <category><![CDATA[cloud-native]]></category>
            <category><![CDATA[open-source]]></category>
            <category><![CDATA[kusionstack]]></category>
            <dc:creator><![CDATA[KusionStack]]></dc:creator>
            <pubDate>Fri, 02 Aug 2024 09:35:23 GMT</pubDate>
            <atom:updated>2024-08-02T09:35:23.953Z</atom:updated>
            <content:encoded><![CDATA[<p>We are happy to announce that the Kusion v0.12.1 Release has been published! We have summed up over 18 new features, 8 bug fixes, and 5 documentation updates with 2 new contributors!</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*nQDpH4cVEmiwUcC-35Oyfw.png" /><figcaption>KusionStack Mascot is here to introduce the new features of Kusion v0.12.1</figcaption></figure><p>As always, we are grateful to the growing KusionStack community for their invaluable contributions, which helped us reach this remarkable milestone. In this post, you will discover some of the exciting new features, selected based on our strong belief in their potential to improve the user experience.</p><h4>Optimize Storage Backend Management</h4><p>In this version, we add support for AWS S3 path-style endpoint for Kusion backend storage, and provide a new kusion release unlock command to unlock the latest Release file of the current Stack . This can prevent Phase in the Release file from being locked in an unfinished states such as previewing , applying , and destroying due to unexpected interruptions, which may cause users unable to perform subsequent operations with Kusion on the Stack .</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*oTTjL34qW9zyjqVsoE1sbg.png" /><figcaption>kusion release unlock command</figcaption></figure><h4>Optimize the Display of Sensitive Information</h4><p>In the previous versions, the kusion preview and kusion apply command would directly expose the plaintext data and stringData when displaying Kubernetes Secret resources, posing a risk of sensitive information leakage. In this version, we optimize the display of the sensitive information, and the data and stringData field of Kubernetes Secret resources will not be displayed in plaintext.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*pZwXBMXjm83NYNXPNf0pjA.png" /><figcaption>masked data and stringData field in the kusion preview results</figcaption></figure><h4>Optimize Terraform Cloud Resource Management</h4><p>In this version, Kusion provides the ability to import existing cloud resources, and for the imported resources, Kusion will skip their deletion during kusion destroy , as there may be multiple applications sharing the same resources. Additionally, Kusion also supports concurrent operations on independent Terraform resources, thereby improving the operational efficiency.</p><p>A sample configuration is shown below.</p><pre>modules: <br>    mysql: <br>      path: oci://ghcr.io/kusionstack/mysql<br>      version: 0.2.0<br>      configs:<br>          default: <br>            cloud: alicloud<br>            size: 20<br>            instanceType: mysql.n2.serverless.1c<br>            category: serverless_basic<br>            privateRouting: false<br>            subnetID: vsw-2zem*********<br>            databaseName: &quot;wordpress-mysql&quot;<br>            # Import an existing alicloud_db_instance. <br>            importedResources: <br>              &quot;aliyun:alicloud:alicloud_db_instance:wordpress-mysql&quot;: &quot;rm-2zem********&quot;<br>    network:<br>        path: oci://ghcr.io/kusionstack/network<br>        version: 0.2.0<br>        configs:<br>            default: {}</pre><h4>Support Runtime Configuration in Workspace</h4><p>In this version, users can decalre the Kubernetes cluster configs and Terraform Provider credentials as runtime configurations in the context field in Workspace with the following configuration items.</p><ul><li>KUBECONFIG_PATH : Kubernetes cluster config path</li><li>KUBECONFIG_CONTENT : Kubernetes cluster config content, supporting plaintext or referring AWS and Alicloud Secrets Manager URL for declaration, e.g. ref://secret-store//kubeconfig</li><li>AWS_ACCESS_KEY_ID : Terraform AWS Provider access key ID, supporting plaintext or referring AWS and Alicloud Secrets Manager URL for declaration</li><li>AWS_SECRET_ACCESS_KEY : Terraform AWS Provider secret key, supporting plaintext or referring AWS and Alicloud Secrets Manager URL for declaration</li><li>ALICLOUD_ACCESS_KEY : Terraform Alicloud Provider access key ID, supporting plaintext or referring AWS and Alicloud Secrets Manager URL for declaration</li><li>ALICLOUD_SECRET_KEY : Terraform Alicoud Provider secret key, supporting plaintext or referring AWS and Alicloud Secrets Manager URL for declaration</li></ul><p>A sample configuration is shown below.</p><pre><br>modules: <br>    mysql: <br>      path: oci://ghcr.io/kusionstack/mysql<br>      version: 0.2.0<br>      configs:<br>          default: <br>            cloud: alicloud<br>            size: 20<br>            instanceType: mysql.n2.serverless.1c<br>            category: serverless_basic<br>            privateRouting: false<br>            subnetID: vsw-2zem*********<br>            databaseName: &quot;wordpress-mysql&quot;<br>    network:<br>        path: oci://ghcr.io/kusionstack/network<br>        version: 0.2.0<br>        configs:<br>            default: {}<br># The remote secrets manager for sensitive data storage. <br>secretStore:<br>  provider:<br>    aws:<br>      region: us-east-1<br># Runtime configs. <br>context: <br>  # Kusion will retrieve the encrypted kubeconfig with the secretStore provider declared above. <br>  KUBECONFIG_CONTENT: ref://secret-store/kubeconfig<br>  ALICLOUD_ACCESS_KEY: LTAI5*********<br>  ALICLOUD_SECRET_KEY: LNOmf*********</pre><h4>Support Using Spec for Preview and Apply</h4><p>In this version, Kusion supports using the Spec file as the input for the kusion preview and kusion apply command. Users can specify a Spec file in the Stack directory with the --spec-file flag. The Kusion engine can directly consume the Spec file and update the operation results to the corresponding Release file for the Stack .</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*4uXFablF-q-IjJy8uFLWdw.png" /><figcaption>kusion apply with specified spec file</figcaption></figure><h4>Complete the Modularization of the Workload</h4><p>In the version of v0.12.0 , we have decoupled the schema definitions of Service and Job workloads separately from the codes of Kusion. And in this version, we have completely modularized the Workload , both of the schema definitions and module generator implementations for Service and Job workloads have been moved to the <a href="https://github.com/KusionStack/catalog">catalog</a> repository.</p><p>A sample configuration is shown below.</p><pre># kcl.mod<br>[package]<br><br>[dependencies]<br>kam = { git = &quot;https://github.com/KusionStack/kam.git&quot;, tag = &quot;0.2.0&quot; }<br>service = { oci = &quot;oci://ghcr.io/kusionstack/service&quot;, tag = &quot;0.2.0&quot; }</pre><pre># main.k<br>import kam.v1.app_configuration as ac<br>import service<br>import service.container as c<br><br>quickstart: ac.AppConfiguration {<br> workload: service.Service {<br>  containers: {<br>   quickstart: c.Container {<br>    image: &quot;kusionstack/kusion-quickstart:latest&quot;<br>   }<br>  }<br> }<br>}</pre><p>Please note that Kusion v0.12.1 is not compatible with the locally cached 0.1.0 version of Service and Job modules. Users may need to delete the locally cached directories of $HOME/.kcl/kpm/service_0.1.0 and $HOME/.kcl/kpm/job_0.1.0 , or use the 0.2.0 version of Service and Job modules.</p><h4>Bug fixes</h4><ul><li>Fix a bug of volume directory overwrite misbehave</li><li>Fix a bug of reusing cached Terraform providers</li><li>Fix a bug of JsonPatch error message exposure</li></ul><h4>New Contributors</h4><p>Sincere gratitude to @<a href="https://github.com/hoangndst">hoangndst</a> and @<a href="https://github.com/vietanhtwdk">vietanhtwdk</a> from Vietnam for contributing to the <a href="https://github.com/KusionStack/kusion">Kusion</a> repository!</p><h4>Summary</h4><p>In this version, we optimize the storage backend management, the display of sensitive information, and Terraform cloud resource management. Besides, we add support for runtime configurations in Workspace and using Spec file as the input for kusion preview and kusion apply . In addition, we completely implement the Workload modularization.</p><p>Aside from the ones mentioned above, there are tons of small improvements and changes in this release as well. You can find the full details in the <a href="https://github.com/KusionStack/kusion/releases">Release Note.</a></p><blockquote>Welcome to our Github and leave some feedback! ⭐️</blockquote><blockquote>Github: <a href="https://github.com/KusionStack/kusion">https://github.com/KusionStack/kusion</a></blockquote><blockquote>Website: <a href="https://kusionstack.io/">https://kusionstack.io</a></blockquote><img src="https://medium.com/_/stat?event=post.clientViewed&referrerSource=full_rss&postId=0375075d8fde" width="1" height="1" alt="">]]></content:encoded>
        </item>
        <item>
            <title><![CDATA[Karpor Has Been Open-Sourced! Build a Kubernetes Visualization Tool in the AI ​​era]]></title>
            <link>https://medium.com/@kusionstack/karpor-has-been-open-sourced-build-a-kubernetes-visualization-tool-in-the-ai-era-6aa2882b35a2?source=rss-aebb5f8bf4ad------2</link>
            <guid isPermaLink="false">https://medium.com/p/6aa2882b35a2</guid>
            <category><![CDATA[cloud-native]]></category>
            <category><![CDATA[kubernetes]]></category>
            <category><![CDATA[visualization-tool]]></category>
            <category><![CDATA[open-source]]></category>
            <category><![CDATA[ai]]></category>
            <dc:creator><![CDATA[KusionStack]]></dc:creator>
            <pubDate>Mon, 01 Jul 2024 12:49:02 GMT</pubDate>
            <atom:updated>2024-07-01T13:53:12.762Z</atom:updated>
            <content:encoded><![CDATA[<h3>Karpor Has Been Open-Sourced!<strong> We Build a Kubernetes Visualization Tool in the AI ​​era</strong></h3><h3>🔔 What is Karpor?</h3><p>Today we are excited to announce that Karpor is now open-source! 🎉🎉🎉</p><p>Karpor is a <strong>Modern Kubernetes Visualization Tool</strong>. Its core features focus on <strong>🔍 Search, 📊 Insight and ✨ AI</strong>. The goal is to connect platforms and multi-clusters more easily and quickly, and use AI to empower kubernetes to extract key insights from proliferations of cluster resources and provide them to end users.</p><p>Karpor is designed to <strong>reduce the complexity to use kubernetes</strong>, so that developers and platform teams can extract the most valuable information more effectively and intuitively.</p><p><strong>GitHub</strong>：<a href="https://github.com/KusionStack/karpor">https://github.com/KusionStack/karpor</a></p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*tQEAHm6KOxZn5lLT.png" /></figure><h3>🚀 Why Karpor?</h3><p>The increasing complexity of the kubernetes ecosystem is an undeniable trend that is becoming more and more difficult to manage. This complexity not only entails a heavier burden on operations and maintenance but also slows down the adoption of new technologies by users, limiting their ability to fully leverage the potential of kubernetes.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*MGHG6nCjUTFaTdTK" /></figure><p>As an experienced <em>Kubernetes YAML Engineer</em>, you may have also encountered the <strong>following perplexities</strong>:</p><ul><li>The cluster is like a black box, sometimes all you can see is a KubeConfig, and we can’t see what happens behind it</li><li>The team/company has a specific business domain model and needs to establish a mapping between existing systems and kubernetes resources</li><li>The application has been deployed to multiple kubernetes clusters, but its topology is not fully visible</li></ul><p>We have used several kubernetes visualization tools over time, such as Lens, k9s, kube-explorer, and the kubernetes dashboard, among others. Some are commercialized, some do not support self-host, and some are rudimentary for production needs… In short, <strong>we have not yet encountered a product that completely satisfied with</strong>.</p><p>The recent rise of large language models has sparked an unprecedented wave of artificial intelligence innovations. This time, AI technology has remarkably infiltrated its way into people’s everyday life. Even my retired parents have started using AI services, which makes me believe that we are at <strong>a historical moment that is reshaping the world</strong>.</p><p>So naturally we started <strong>building a lightweight, AI-empowered kubernetes visualization tool</strong> to solve the problems mentioned earlier. It features the following:</p><ul><li>Fully empowers Kubernetes with <strong>AI</strong>.</li><li><strong>Identify</strong> <strong>potential risks</strong> and provide <strong>solutions based on AI</strong>.</li><li><strong>Customized logical views</strong> to fit the resource organization models for different scenarios, such as applications, environments, etc, which may have different interpretations at places.</li><li><strong>Travel back in time </strong>via timeline, time machine to quickly diagnose and <strong>troubleshoot</strong> based on historical snapshots.</li><li><strong>Intuitive and effective search</strong>, providing a number of user-friendly ways to locate resources across clusters, such as keywords, SQL, and natural language.</li><li><strong>Low cognitive burden</strong>, it is read-only, non-invasive to the cluster it’s watching, and users can deploy it to their private environments with one click.</li><li><strong>Cross-cluster topological views</strong>, providing a global perspective of resources no matter where they are.</li></ul><p>We have named this tool <strong>Karpor</strong>. In general, we wish Karpor to focus on <strong>🔍 search, 📊 insights, and ✨ AI</strong>, to <strong>break through the increasingly complex maze of kubernetes</strong>, achieving the following <strong>value proposition</strong>:</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*mGj5TBnkW2ntSAXG.png" /></figure><p>As of today, we have built the initial version of Karpor based on this vision, which features the following:</p><ul><li>An optimized <strong>search experience</strong> for kubernetes:</li></ul><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*gxvK8D7RorBzGqA-.png" /></figure><ul><li>Discover potential problems through <strong>compliance reports</strong>:</li></ul><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*BSuWWBq01CbJuVcU.png" /></figure><ul><li>Manage the <strong>customized logical views</strong>:</li></ul><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*4uFnPDPRy8x7o2DL.png" /></figure><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*UFeMV4EfuLbZF-dA.png" /></figure><h3>🙌 Karpor vs. Kubernetes Dashboard</h3><p>In today’s kubernetes ecosystem, there are multiple tools and platforms that can manage and visualize clusters. Kubernetes Dashboard is an officially provided universal web UI for managing and troubleshooting kubernetes clusters. Karpor, as an emerging Kubernetes Visualization Tool, is designed to provide more advanced features and a better user experience.</p><p>Here are some key comparisons between Karpor and Kubernetes Dashboard:</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*P0qkIpE_AalUkwPd.png" /></figure><h3>🎖 ️Vision: Embracing the Community</h3><p>We firmly believe that a successful open-source project should be community-driven. For open-source projects, we come up with an idea and build an initial version. The final form of the project, we believe, should be well guided by the community.</p><p>Therefore, we are committed to shaping Karpor into something that is:</p><ul><li><strong>Small and beautiful</strong>: Focused on an excellence of user experience.</li><li><strong>Vendor-neutral</strong>: Independent from any specific cloud services or companies.</li><li><strong>Developer-friendly</strong>: Community-friendly with high-quality documentations and support.</li><li><strong>Community-driven</strong>: Encouraging and welcoming contributors to participate in and even lead the development of the project.</li></ul><p>We place great emphasis on community participation and contribution. To this end, we have specially put together a <strong>community task list</strong> to help those that are interested quickly get started and participate in the project. The tasks are categorized by difficulty, ranging from simple tasks such as document translation, bug fixes, and unit testing, to medium-difficulty tasks like log/event aggregators, risk audit enhancements, and automatic cluster imports, to challenging tasks such as OpenCost integration and login authentication.</p><p>We encourage every developer interested in Karpor to visit our GitHub page, review the task list, and contribute at ease.</p><p>🎖︎ <strong>Community Task List</strong>: <a href="https://github.com/KusionStack/karpor/issues/463">https://github.com/KusionStack/karpor/issues/463</a></p><p>All developers who participate in the community will be featured in the Contributors section on the README and the homepage of the official website. We extend our sincerest thanks to all developers and contributors who are already active in the Karpor open-source project, for your efforts and creativity! We look forward to working with the community to make Karpor an even more powerful and comprehensive open-source tool.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*tEvJY0WIXbkrLIIF.png" /></figure><h3>🌈 Moving Forward</h3><p>We are actively soliciting feedback and suggestions from the community to plan the next version of Karpor — v0.5. We want to hear your voice, whether it’s feature requests, improvement suggestions, or bug reports; please leave a comment in the corresponding issue.</p><p>Our <strong>ultimate goal is to shape Karpor into a community-driven Kubernetes Visualization Tool in the AI era</strong>. Currently, what we have is a usable version with basic functionalities.</p><p>In the next version, we will solidify the basic functionalities and fully embrace AI. We have preliminarily planned some new features, such as support for natural language search of cluster resources, AI-driven diagnostic suggestions, timelines, etc., to help users better understand resources in multiple clusters, identify issues, and troubleshoot. We welcome everyone’s feedback!</p><p><strong>If you like this project, welcome to Star on GitHub </strong>🌟🌟🌟</p><p><a href="https://github.com/KusionStack/karpor">https://github.com/KusionStack/karpor</a></p><img src="https://medium.com/_/stat?event=post.clientViewed&referrerSource=full_rss&postId=6aa2882b35a2" width="1" height="1" alt="">]]></content:encoded>
        </item>
        <item>
            <title><![CDATA[A Blend of Fire and Ice: Accelerating Innovations Across Internet and Financial Services via…]]></title>
            <link>https://medium.com/kusionstack/a-blend-of-fire-and-ice-accelerating-innovations-across-internet-and-financial-services-via-1e87adecab0d?source=rss-aebb5f8bf4ad------2</link>
            <guid isPermaLink="false">https://medium.com/p/1e87adecab0d</guid>
            <category><![CDATA[cloud-native]]></category>
            <category><![CDATA[kubernetes]]></category>
            <category><![CDATA[platform-orchestrator]]></category>
            <category><![CDATA[devops]]></category>
            <category><![CDATA[platform-engineering]]></category>
            <dc:creator><![CDATA[KusionStack]]></dc:creator>
            <pubDate>Fri, 28 Jun 2024 10:05:36 GMT</pubDate>
            <atom:updated>2024-06-28T10:07:51.996Z</atom:updated>
            <content:encoded><![CDATA[<h3>A Blend of Fire and Ice: Accelerating Innovations Across Internet and Financial Services via Platform Engineering at Ant Group</h3><blockquote>If you are also building an IDP, our practical experience might be helpful to you.</blockquote><figure><img alt="" src="https://cdn-images-1.medium.com/max/480/1*EP0TLCjxmFK9xd6KCvANlA.jpeg" /><figcaption><a href="https://www.youtube.com/watch?v=fLKACVuS1do"><em>https://www.youtube.com/watch?v=fLKACVuS1do</em></a></figcaption></figure><h3>About the Author</h3><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*_v_cR1D-nkAczjW0.png" /></figure><p>Mr. Wang Zijian is a senior staff and PaaS team leader in the Platform Engineering and Technology Risk Department at Ant Group. This article is transcribed from his speech “A Blend of Fire and Ice: Accelerating innovations across Internet and Financial Services via Platform Engineering at Ant Group” at PlatformCon 2024.</p><p>Hello everyone, welcome to join us at PlatformCon 2024. My name is Zijian Wang. I’m from the Platform Engineering and Technology Risk Department at Ant Group.</p><p>Yes, you heard that right. Ant Group has specifically created this department to implement our platform engineering strategy. In this post-COVID era, it has become particularly important to drive the innovation and growth of the company’s business. To this end, we are focusing on building a self-service Internal Developer Platform to improve developer efficiency and accelerate innovation within the company. Currently, I am the leader of the company’s PaaS team, responsible for building our IDP.</p><h3>AntGroup: Develop digital technology to serve the real economy</h3><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*jRCkMRCpo3_Kzqma.png" /></figure><p>Our platform serves as a fundamental pillar that supports the diverse business scenarios within Ant Group, including digital payments, connectivity, finance, technologies, and globalization. We have more than 10,000 developers who build software on global infrastructures across multiple clouds. To ensure this extensive and complex production is running smoothly, Ant Group has established a Platform Technologies Business Group, responsible for the technological foundation beneath all the lines of business.</p><p>My department, the Platform Engineering and Technology Risk Department, is at the heart of this organization, providing support upwards to the application teams and collaborating downwards with our computing and AI infrastructure. The goal is to provide efficient, secure, and risk-adjusted platform technology products and services to all our lines of business (LOBs).</p><h3>Primary technical challenges: Ice and Fire</h3><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*vG5waggOas_AMbbk.png" /></figure><p>In our journey, the primary challenge comes from Ant Group’s diversified business landscape. Serving over a billion users and 80 million merchants, the Alipay app processes hundreds of millions of transactions daily. Furthermore, Ant’s digital finance serves more than 2,000 financial institutions in China and has provided digital credit services to over 50 million small and micro businesses.</p><p>As a consequence, the developers at Ant Group are facing a quite unique challenge. On one side, they need to quickly innovate and test out new ideas on the internet business side. On the other, digital finance requires the utmost stability, safety, and risk management. It’s like trying to mix fire with ice.</p><p>In the past few years, cloud-native technologies are flourishing, which introduced a great deal of complexity of using multi-clouds infrastructure to the developers. Along with this, the popularization of DevOps and the shift-left approach has significantly increased the responsibilities and cognitive burden on our developers, lowering their productivity and efficiency, and further hindering the company’s ability to quickly innovate.</p><h3>The Strategy of Platform Engineering at Ant Group</h3><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*c-QETV8gZUMb3d8I.png" /></figure><p>To address this challenge, reconcile the conflict between this ice and fire situation, and further reduce the burden on developers, Ant Group has developed a strategy to implement platform engineering philosophies, which includes three major points:</p><ul><li>First of all, we have built a unified PaaS product for the entire business: Jiuzhou. A unified control plane and constraints on the application architectures are essential premises for an effective risk and security control on a global scale. Jiuzhou was initially positioned as Ant Group’s operations platform, primarily serving operations engineers and SREs. However, with the evolution of the DevOps movement, about 70% of our users are now application developers. As a response, we have also transformed our platform product strategy, upgrading Jiuzhou to an IDP, a.k.a an Internal Developer Platform. We intend to focus on developers as the primary users of our platform, improving the developer experience through a one-stop developer portal that hides the complexity beneath the surface. This approach helps developers achieve efficient software development, operations, and delivery, thereby accelerating TTM(Time To Market).</li><li>Secondly, unlike the shift-left movement, which transfers the complexities and responsibilities to the developers, we are continuously shifting operations, risk management, security, and trust capabilities downwards into our platform by shipping it with Kubernetes and other cloud-native technologies, into the platform layer. This approach decouples the advanced platform capabilities required by financial services from the application code, allowing developers to focus solely on the business logic, thereby balancing the contradictions between competing demands.</li><li>Finally, we’ve discovered in practice that a platform product that is natively stacking capabilities and accommodating all the applications, often gradually turns the platform team into a bottleneck trying to meet all the customer needs. The diverse business requirements and standardized platform capabilities are difficult to reconcile. In some cases where rapid innovations are justified, the required platform capabilities might not always be considered the most critical ones to prioritize from a holistic view. However, these seeds of innovation could represent the infinite potential looking into the future. Therefore, openness is the most important strategy following a unified-paas and shift-down. For platform capabilities, we have built a programmatic interface based on the concept of “Everything as Code”, thereby enabling the SREs and Platform Engineers to quickly pave golden paths for developers, customized for specific scenarios. While reusing the platform’s core capabilities, this approach aims to meet the diverse business needs as much as possible.</li></ul><h3>Unified PaaS — Platform + Service accelerates business innovations</h3><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*WrXyVvXBT_yfNeVK.png" /></figure><p>Back in 2014 and 2015, Ant Group created its first-generation PaaS platform product, Jiuzhou 1.0, to facilitate the needs for application operations and technical support. However, with the evolution into a more diversified business landscape, small platforms under different business groups started to naturally appear, leading to many independent “siloed” architectures across the company. These fragmented platforms resulted in inconsistent standards, especially in dealing with global architecture issues such as the ability to manage technical risks, which became more inefficient and difficult, posing challenges to business development.</p><p>As a result, we initiated an upgrade for the PaaS platform product, which launched Jiuzhou 2.0. A major highlight was the centralization into a single application control plane across the company, which not only achieved consolidation of the application’s metadata, operations, and change management but also allowed each business group to benefit from the high-quality technical risk management capabilities, underpinning the rapid growth of internet finance businesses over the years.</p><p>However, this approach also introduced more constraints into software development, which soon led to a loss of diversity in business development. As a natural response, We launched a strategy for platform engineering, continuously upgrading the PaaS product to an IDP (Internal Developer Platform). This time, our primary goal was to improve developer efficiency and enable self-service by providing a set of core capabilities covering the software development lifecycle. At the organizational level, we re-scoped the responsibilities of SREs (Site Reliability Engineers) and formed a dedicated team of platform engineers to fill the gap. This team was responsible not only for managing risks but also for improving efficiency.</p><p>The platform was divided into two parts: The bottom layer leverages core cloud-native capabilities to provide general functionalities for various business scenarios, including identity, permissions, metadata, deployment, changes, configuration, and capacity management. Meanwhile, the top layer equips SREs (Site Reliability Engineers) and platform engineers with a Golden Path Builder, enabling them to serve various relevant business teams by paving opinionated golden paths based on these core capabilities. This meets the diverse needs of developers across different business groups. Essentially, we’ve established a layered architecture in which the platform, together with SREs and platform engineers, supports all the developers at Ant Group, accelerating the Time To Market.</p><h3>Declarative Workloads — Automating the procedural operations</h3><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*eEEWq_rrlhyoM-2D.png" /></figure><p>In addition to building a consolidated platform, we have also committed to shift-down various technical capabilities to the infrastructure layer. Operations and changes to an application, being a key part of the software development lifecycle (SDLC), have been re-implemented through the Kubernetes Operator. This approach has redefined the traditional operational tasks, making them accessible to developers in a declarative manner. This transformation has significantly streamlined the operations process, similar to how automated driving works: users just need to declare their intended destination, and the remaining process is handled automatically by the car, or in this case, the platform.</p><p>Evidently, this represents an ideal scenario. To distinguish ourselves from the various K8S Workloads found within the community, we have developed our own workloads and extensions for cloud-native resources. These, such as CollaSet, PodDecoration, and OperationJob, are used to manage application workloads, sidecars, and traditional procedural operations, respectively. They are consolidated and abstracted as Kubernetes resources for streamlined management and integration with Ant Group’s technical risk system, achieving a shift-down of risk management capabilities. This includes service level protection, change governance, and circuit breaker mechanisms.</p><p>For Pod lifecycle management, PodOpsLifecycle extends and integrates Pod and container state management across all workloads. This approach enables developers to execute necessary actions at specific phases of a Pod operation — before, during, or after. For instance, excluding the Pod’s IP from the traffic routing rules before initiating changes, performing the actual changes, and adding it back after the it is completed, to achieve a graceful Pod operation, and prevent any traffic loss.</p><h3>Alter Shield — Empowering DEV to change with confidence</h3><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*d3R_62hP2aGCz4TF.png" /></figure><p>From a stability perspective, about 60% of incidents within Ant Group are caused by changes. The adoption of the unified declarative operations not only improves developers’ efficiency but also provides an excellent tangent for centralized technical risk assurance. As a result, we have developed a cloud-native risk defense product: Alter Shield.</p><p>On one hand, we introduced the Open Change Management Specification protocol to standardize change information, which is defined and managed through the Altershield platform. On the other hand, the platform implements a unified change Pipeline across multiple environments within the SDLC, automating the batch processing and canary release of changes at scale, and adding Hooks before and after each batch of changes. These Hooks are connected to change Policies, capable of conducting impact analysis, change interruption, and business and system metrics measurement.</p><p>In the early stages, most of these policies were written by SREs, implementing universal risk prevention and control. As we implement our platform engineering strategy and focus on improving developer efficiency, we are also making change policies accessible to developers. For example, a declarative policy might state that if a certain business metric drops during a change process, the platform can automatically roll back the change or take other actions, enabling unattended change processes and empowering developers to change with confidence.</p><h3>Trust-Native IAM — Balancing safety and efficiency</h3><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*cymOQyxxE34_Shdb.png" /></figure><p>Efficiency, risk control, and security are the ‘Iron Triangle’ of our core platform metrics. Within this premise, the IAM provides the core capabilities to manage identities and permissions across the platform. It is responsible for issuing universal identities for both users and applications, while also keeping track of the organizational structures and resource topologies across the entire company. This enables the platform to construct a Resource Graph that connects resources to their corresponding applications and organizations. Based on this graph, the platform is able to automatically derive the relations among application assets and result in less permission approvals.</p><p>In the meantime, secret managements, application permission requests, and policy-based access control, we’ve also shift-down this entire set of capabilities by leveraging cloud-native technologies. For example, we’ve implemented an identity injection mechanism based on Kubernetes. When a POD is created, an identity is automatically provisioned and injected into each container. By leveraging the Distributed App Runtime, which offloads the communication of distributed applications to the Sidecar component, decoupling them from the application logic. In this way, the distributed applications runtime controls access and secures connections to external service calls based on injected identities.</p><p>Most Importantly, all these security features are transparent to the application and does NOT require any prior knowledge. Therefore, we’ve named this mechanism Trust-Native, emphasizing that our platform’s security and trust capabilities are built-in natively, achieving a balance between efficiency and security.</p><h3>Kusion — Fusion of K8s and all infra enables open collaboration</h3><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/0*XMsmIQebYN22cYak.png" /></figure><p>Eventually, we’ve codified all capabilities and built the platform centered around a Platform Orchestrator named Kusion. We’ve connected to various types of infrastructures through an expandable driver-like mechanism, including Kubernetes as well as other cloud infrastructures. Based on KCL (Kusion Configuration Language) and an configuration monorepo, we provided the developers with a consistent, efficient, and secure programmable interface. Moreover, downstream teams can build new configuration models leveraging these existing and reusable ones to meet the specific business needs, thus creating a thriving ecosystem.</p><p>In the early days, our first and foremost goal was to fully codify Ant infrastructure, in order to accelerate the adoption of the IaC (Infrastructure as Code) strategy. However, we’ve noticed that when various perspectives of the configurations were merged together, especially when it’s mixing up the viewpoints representing applications and infrastructure opinions, developers are more likely to find it both challenging and inefficient when managing those configuration code.</p><p>We received a substantial amount of feedback and learned valuable lessons from these experiences. Based on the division of labor and the collaboration patterns among developers, SREs, and platform engineers, we’ve defined and implemented a mechanism for separation of concerns. By drawing insights from DCM (Dynamic Configuration Management), we have upgraded the entire Kusion configuration model and the platform orchestrator.</p><p>The upgraded model distinguishes between application configurations that are environment-agnostic and those that aren’t. In terms of division of labor, global configurations and environment-specific ones, especially the complex, cell-based deployment configurations are usually maintained by SREs, who also select the scopes for them to take effect. (A cell is the smallest deployable unit that represents a logical isolation for an application).</p><p>Correspondingly, developers only need to define the part of the configurations that is closely relevant to the application itself, hopefully mostly are environment-agnostic. When the configurations are consumed by Kusion, it automatically associates the two based on previously defined scopes of effectiveness, dynamically generates the final infrastructure specifications, and then applies them to the infrastructure. This significantly reduces developers’ awareness of various configurations which heavies their burden. Of course, Ant Group’s cell-based deployments has a long history and penetrates all aspects of the infrastructures. This work continues as we implement our platform engineering strategy, with the ultimate goal to completely eliminate developers’ need to be aware of cell-based and all other environment-specific deployment configurations.</p><h3>Welcome everyone to join our communit</h3><p>We have already partially open-sourced our platform capabilities, which include the KusionStack and the AlterShield projects. KusionStack is a platform engineering technology stack, aimed at helping platform engineers build their own Internal Development Platforms (IDP).</p><p>Meanwhile, AlterShield represents the open-source implementation of Ant Group’s Technological Risk-defense as a Service. In the future, we plan to open-source more platform capabilities. Here are the related links and I welcome everyone to join our community.</p><p>KusionStack：</p><ul><li>Website: <a href="https://kusionstack.io/">https://kusionstack.io</a></li><li>Github: <a href="https://github.com/KusionStack/">https://github.com/KusionStack/</a></li><li>Slack: <a href="https://join.slack.com/t/kusionstack/shared_invite/zt-2drafxksz-VzCZZwlraHP4xpPeh_g8lg">kusionstack.slack.com</a></li><li>Twitter: <a href="https://x.com/KusionStack">@KusionStack</a></li></ul><p>AlterShield:</p><ul><li>Website: <a href="https://altershield.io">https://altershield.io</a></li><li>Github: <a href="https://github.com/traas-stack/">https://github.com/traas-stack/</a></li></ul><img src="https://medium.com/_/stat?event=post.clientViewed&referrerSource=full_rss&postId=1e87adecab0d" width="1" height="1" alt=""><hr><p><a href="https://medium.com/kusionstack/a-blend-of-fire-and-ice-accelerating-innovations-across-internet-and-financial-services-via-1e87adecab0d">A Blend of Fire and Ice: Accelerating Innovations Across Internet and Financial Services via…</a> was originally published in <a href="https://medium.com/kusionstack">KusionStack</a> on Medium, where people are continuing the conversation by highlighting and responding to this story.</p>]]></content:encoded>
        </item>
        <item>
            <title><![CDATA[Kusion v0.12.0 Release: Optimize Comprehensive Capabilities and Provide Production Practice Cases]]></title>
            <link>https://medium.com/@kusionstack/kusion-v0-12-0-release-optimize-comprehensive-capabilities-and-provide-production-practice-cases-a8c3efbe51bd?source=rss-aebb5f8bf4ad------2</link>
            <guid isPermaLink="false">https://medium.com/p/a8c3efbe51bd</guid>
            <category><![CDATA[kusionstack]]></category>
            <category><![CDATA[cloud-native]]></category>
            <category><![CDATA[open-source]]></category>
            <category><![CDATA[platform-engineering]]></category>
            <dc:creator><![CDATA[KusionStack]]></dc:creator>
            <pubDate>Fri, 14 Jun 2024 07:21:26 GMT</pubDate>
            <atom:updated>2024-06-14T07:21:26.708Z</atom:updated>
            <content:encoded><![CDATA[<p>We are happy to announce that the Kusion v0.12.0 Release has been published! We have summed up over 26 new features, 18 bug fixes, and 14 documentation updates with 2 new contributors!</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*DxMFv58goYQgjKuKBFUq7g.png" /><figcaption>KusionStack Mascot is here to introduce the new features of Kusion v0.12.0</figcaption></figure><p>As always, we are grateful to the growing KusionStack community for their invaluable contributions, which helped us reach this remarkable milestone. In this post, you will discover some of the exciting new features, selected based on our strong belief in their potential to improve the team collaboration workflow.</p><h3>Kusion Apply Enhancement</h3><p>In the previous versions, the kusion apply command did not automatically wait for all the resources to be available, which might lead to users’ confusions. In this version, we have upgraded the kusion apply command to default to waiting for all the resources to be available before completing the execution. Meanwhile, it also supports the configurable timeout and optimizes the command line terminal interface.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*40WKETI1h131pHyfqOM6nA.gif" /><figcaption>upgraded kusion apply command</figcaption></figure><h3>State Upgrading to Release</h3><p>In the preview versions, when a Stack is applied or destroyed, Kusion would create or update a state file in the backend storage to record the state information of the application resources. In this version, we have upgraded the state file to a release file, which is used to record the metadata, resource spec, the state of the stack resources, and the operation phases. Besides, we have also implemented a locking mechanism for the release file to ensure the concurrent read and write safety in team collaboration scenarios and to meet the needs of audit management.</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*xMe-A1Q5CjBJN1Ro5XEsNg.png" /><figcaption>release file in storage backend</figcaption></figure><h3>Kusion Module Management Upgrade</h3><p>In this version, we added kusion mod list and kusion mod add to the kusion mod command, allowing developers to better manage the Kusion modules. kusion mod list can help developers obtain the name, version and OCI artifact URL of the available Kusion module in a specific workspace, while kusion mod add can assist developers in automatically adding the dependency declarations for a specified module in the kcl.mod file and fetching the corresponding module OCI artifact, which is similar to go get .</p><figure><img alt="" src="https://cdn-images-1.medium.com/max/1024/1*sFCsxyLCgYfkmcvjYKiaQA.gif" /><figcaption>kusion mod list and kusion mod add</figcaption></figure><h3>Workload Modularization</h3><p>In previous versions, the Workload was a component tightly coupled in the AppConfiguration model. In this version, we have modularized the built-in workloads and move the schema definitions of the Service and Job from the codes of Kusion CLI to the <a href="https://github.com/KusionStack/catalog">catalog</a> module repository. Developers can now declare and use Service and Job just as they would with other modules. Moreover, platform engineers can also implement customized workloads according to their own needs, thereby enhancing the extensibility of the AppConfiguration model.</p><p>The definitions and related examples of the modularized Service and Job can be found at:</p><ul><li><a href="https://github.com/KusionStack/catalog/tree/main/modules/workload/service"><em>https://github.com/KusionStack/catalog/tree/main/modules/workload/service</em></a></li><li><a href="https://github.com/KusionStack/catalog/tree/main/modules/workload/job"><em>https://github.com/KusionStack/catalog/tree/main/modules/workload/job</em></a></li></ul><h3>Production Practice Case</h3><p>In this version, we provided an example production-ready practice case of how Kusion integrates with GitHub Actions to help developers and platform engineers collaborate on application delivery and operation. You can refer to the following document for more details:</p><ul><li><a href="https://www.kusionstack.io/docs/user-guides/production-practice-case/collaborate-with-github-actions"><em>https://www.kusionstack.io/docs/user-guides/production-practice-case/collaborate-with-github-actions</em></a></li></ul><p>In the above article, we have defined the workflows for platform engineers and application developers based on the concept of separation of concerns:</p><ul><li>Platform engineers are primarily responsible for creating centralized Kusion backend storage, developing customized Kusion modules, and creating and maintaining the standardized platform configurations in the workspace.</li><li>Application developers can focus on the application business logic and configuration codes, and trigger the automated GitHub Actions pipelines by submitting configuration codes to complete the preview and apply process.</li></ul><h3>Bug fixes</h3><ul><li>Fix a bug of customized namespace to correctly get Kubernetes namespace</li><li>Fix a bug of secrets management</li><li>Fix some bugs of Kubernetes resource normalization and conversion</li><li>Fix some bugs of applying and destroying Terraform resources on the Windows system</li></ul><h3>New Contributors</h3><p>Sincere gratitude to @ Liuxingyu1111111 and @ wolfcode111 for contributing to the <a href="https://github.com/KusionStack/kusion">kusion</a> repository.</p><h3>Summary</h3><p>In this version, we have enhanced the ability and user interface of the kusion apply command, and upgraded the state file in the storage backend into release , while also optimizing the experience for application developers to use Kusion modules. Aside from the ones mentioned above, there are tons of small improvements and changes in this release as well. You can find the full details in the <a href="https://github.com/KusionStack/kusion/releases/tag/v0.12.0">Release Note</a>.</p><blockquote><em>Welcome to our Github and leave some feedback! ⭐️</em></blockquote><blockquote><em>Github: </em><a href="https://github.com/KusionStack/kusion"><em>https://github.com/KusionStack/kusion</em></a></blockquote><blockquote><em>Website: </em><a href="https://kusionstack.io/"><em>https://kusionstack.io</em></a></blockquote><img src="https://medium.com/_/stat?event=post.clientViewed&referrerSource=full_rss&postId=a8c3efbe51bd" width="1" height="1" alt="">]]></content:encoded>
        </item>
    </channel>
</rss>