Building a Kubernetes infrastructure for CERN's Content Management Systems

The infrastructure behind home.cern and 1000 other Drupal web-
sites serves more than 15,000 unique visitors daily. To best serve the site own-
ers, a small engineering team needs development speed to adapt to their evolv-
ing needs and operational velocity to troubleshoot emerging problems rapidly.
We designed a new Web Frameworks platform by extending Kubernetes to re-
place the ageing physical infrastructure and reduce the dependency on home-
brew components.
The new platform is modular, built around standard components and thus less
complex to operate. Some requirements are covered solely by upstream open
source projects, whereas others by components shared across CERN’s web host-
ing platforms. We leverage the Operator framework and the Kubernetes API
to get observability, policy enforcement, access control and auditing, and high
availability for free. Thanks to containers and namespaces, websites are iso-
lated. This isolation clarifies security boundaries and minimizes attack surface,
while empowering site owners.
In this work we present the open-source design of the new system and contrast it
with the one it replaces, demonstrating how we drastically reduced our technical
debt.