Kubernetes LEMP Stack

Kubernetes LEMP Stack is a distributed LEMP stack built on top of a Kubernetes cluster. It enables anyone to deploy multiple CMSs (currently WordPress) for any number of websites. We built it to be secure and very fast by default.

Currently this supports Google Compute Engine as a cloud provider. Other providers haven't been tested (things like PersistentVolume and Ingress depend on your cloud provider).

There are already stable turn-key deployments for various CMSs via Kubernetes Helm Charts, but Kubernetes LEMP Stack is designed more or less in the traditional LEMP fashion where you get a bucket for all of your HTML at /var/www/html and you may or may not use a CMS.

Actually, k8s LEMP Stack should be able to serve as your own personal web server farm! Use it as a backend to your own cloud hosting company! We also want extra customisation in terms of our web server and security hardening measures. In addition, future improvements aim to make this software scalable and highly-available.

How It Works

• WordPress

  • Each WordPress CMS is based on the wordpress:php7.3-fpm image with extra required PHP extensions such as redis. WordPress is contained in one Deployment controller along with an NGINX container with FastCGI caching and the NAXSI web application firewall.
  • Each WordPress Deployment gets it's own PersistentVolume as well as Secret objects for storing sensitive information such as passwords for their DBs.
  • ConfigMaps are used to inject various php.ini settings for PHP 7.3.

• NGINX

  • The NGINX container has multiple handy configurations for multi-site and caching, all easily deployed using ConfigMap objects.
  • We build NGINX with the nginx-naxsi image, which comes with:
    • NBS System's NAXSI module. NAXSI means NGINX Anti-XSS & SQL Injection.
    • Handy configurations for NGINX and the NAXSI web application firewall are also included via ConfigMaps.

• MariaDB

  • Initially, the WordPress pods all interface with one mariadb StatefulSet. This is so anyone can start off with a full-fledged web farm and bring up any number of websites using one mariadb instance with a databse for each site. Future improvements will allow for HA and scalable clustered RDBMSs.
  • mariadb also gets a PersistentVolume and Secret objects.
  • Updating StatefulSet objects in Kubernetes is currently a manual process, meaning we have to execute MySQL commands in the mariadb pod to add new databases and users.

• Redis

  • To reduce hits to the DB we build the WP image with the redis PHP extension and include a Redis Deployment.
  • WP must be configured to use Redis upon initialising a new WP site by installing and configuring the WP Redis Object Cache plugin.

• Ingress/Kube Lego

  • Websites are reached externally via an nginx Ingress controller. See Kubernetes documentation regarding Ingress in the official docs and on GitHub.
  • All TLS is terminated at Ingress via free Let's Encrypt certificates good for all domains on your cluster. Better yet, certificate issuance is handled automatically with the awesome cert-manager.

• See Installation and Usage for instructions on getting up and running.

TODO

• Add diagram detailing the general structure of the cluster
• High availability
  • Ceph distributed storage
  • (Optional) HA MySQL via sharding, clustering, etc.
  • Add shared and distributed storage to WordPress deployments so they can then be replicated
• PHP socket
• New annotation kubernetes.io/ingress.global-static-ip-name: "wpclust-ingress"
• Migrate to certmanager (with Helm installation)

Installation and Usage

Visit USAGE.md.

Acknowledgements

This project was inspired by the official Kubernetes WordPress + MySQL sample and builds on it with the various other official Docker images and Kubernetes applications mentioned previously.