FMC of Federal Frontier Kubernetes Grid (FKG)
Frontier Management Cluster (FMC)
What is FMC?
As part of FKG, we have FMC acting as the management cluster for Frontier Cluster API (CAPI) services. This will enable administrators to have capabilities to effectively deploy and manage workload clusters within your organization. Regardless of what interface is used for FKG, whether it is Frontier CLI or the upcoming graphical user-interface (GUI) application Frontier Outpost, each employee will be able to make any neccessary changes to their workload clusters from the organization’s FMC.
OAuth 2.0 is an authorization framework that enables the Frontier applications to obtain limited access to user accounts on an HTTP service. The OAuth 2.0 protocol provides API security through scoped JWT access tokens. Frontier CAPI management services will validate and accept these JWT access tokens to enable authentication and authorization inside of your FMC without the need of sharing the management cluster’s kubeconfig.
Roles and Authorization
OAuth 2.0 enables you to delegate authorization, while OIDC enables you to retrieve and store authentication information about your end users. OIDC extends OAuth 2.0 by providing user authentication and single sign-on (SSO) functionality. This will allow the FMC to restrict access of certain actions based on the permissions authorized by the employee user’s roles. There are currently 4 roles that will be utilized for Frontier services. They are:
- Frontier Administrator
- Project Administrator
- Cluster Administrator
- Frontier User
The frontier administrator will have maximum permissions over the FMC. They will have supervision over the entire organization FMC and all of its workload clusters. This should be the only user who has access to the FMC’s kubeconfig as they will be setting all configurations required to release and install Frontier services for the rest of their organization.
The project administrator will have maximum permissions over their projects within the FMC. They will be able to completely manage all workload clusters within their respective project teams.
The cluster administrator will have permissions to manage workload clusters within their assigned project teams.
This user will be able to view active workload clusters within their project teams, but do not have high enough permissions to manage any of them.
With the management of clusters, administrators can deploy on a variety of different providers pending on cost and performance. At this time, FKG supports up to 3 different infrastructure providers. These providers are Metal-as-a-Service (MAAS), Amazon Web Services (AWS), and Microsoft Azure. All administrators will be able to build and deploy clusters with a large selection of customized configurations to their liking through each of these providers.
FKG utilizes MAAS to maintain, manage, and deploy virtual machines on physical servers. These physical servers can have AMD64 or ARM64 architecture. Consumers can use ARM64 hardware to create their own virtual machines on physical servers with goals of having energy and cost-efficiency, but can still use it on AMD64 hardware if needed.
FKG utilizes AWS to maintain, manage, and deploy workload clusters using Amazon Elastic Compute Cloud (EC2) instances through the FMC. These instances can have AMD64 or ARM64 architecture and can be ran by Ubuntu Amazon Machine Images (AMI). Consumers will be able to choose through a large variety of different instance types that can affect performance and cost in the cloud without the need of maintaining physical hardware.
Eupraxia Labs utilizes Azure to maintain, manage, and deploy workload clusters using Microsoft Azure virtual machines through the FMC. Consumers will be able to choose through a large variety of different virtual machine sizes running on Ubuntu operating systems that can affect performance and cost in the cloud without the need of maintaining physical hardware.