add implement multiple worker pools faq

content/faq/how-much-configuration-required-for-proxy.md

@@ -0,0 +1,17 @@
+---
+title: "How much configuration is required to use the proxy?"
+description: "If a VPN is absolutely necessary, then we provide a robust chart to deploy OpenVPN with SSO integration and short-lived client certificates."
+tags:
+- workstation
+- proxy
+- VPN
+- OpenVPN
+---
+
+## Question
+
+How much configuration is required for workstations to use the proxy?
+
+## Answer
+
+If a VPN is absolutely necessary, then we provide a [robust chart](https://github.com/cloudposse/charts/tree/master/incubator/openvpn) to deploy OpenVPN with SSO integration and short-lived client certificates. This requires almost no local workstation configuration. Simply install the OpenVPN client of your choice (we prefer Viscosity), and visit the SSO login page for the VPN to obtain your short-lived credentials as a .ovpn file that will be automatically imported when downloaded by the user.

content/faq/how-to-implement-multiple-worker-pools.md

@@ -0,0 +1,25 @@
+---
+title: "How can we implement multiple worker pools?"
+description: "We use kops manifests (YAML) to define imperative Kubernetes architectures."
+tags:
+- kops
+- Kubernetes
+- manifest
+- clusters
+---
+
+## Question
+
+How can we implement multiple worker pools within our Kubernetes clusters?
+
+## Answer
+
+We use `kops` manifests (YAML) to define imperative Kubernetes architectures.
+
+Inside the manifest (which looks like a standard Kubernetes resource) is a section for `kind: InstanceGroup` that allows for the definition of any number of node pools.
+
+An example manifest is provided [here](https://github.com/cloudposse/geodesic/blob/master/rootfs/templates/kops/default.yaml).
+
+An example of a project with the [Van Valen Research Lab at Caltech](https://github.com/vanvalenlab/kiosk/blob/master/conf/patches/gpu-nodes.yaml) demonstrates where a GPU node pool was added that is scaled down to zero by default.
+
+Using the cluster autoscaler, when a pod is scheduled with the proper labels, the node pool is automatically scaled up.

content/faq/how-to-swap-machine-images.md

@@ -0,0 +1,20 @@
+---
+title: "How can we swap out machine images?"
+description: "The base images are parameterized inside the `kops` manifest."
+tags:
+- kops
+- manifest
+- images
+---
+
+## Question
+
+How can we swap out machine images (e.g. tweak an AMI)?
+
+## Answer
+
+Inside the `kops` manifest, the base images are parameterized with an environment variable `KOPS_BASE_IMAGE`.
+
+One example is provided [here](https://github.com/cloudposse/geodesic/blob/master/rootfs/templates/kops/default.yaml#L150).
+
+Additional information is available [here](https://github.com/kubernetes/kops/blob/master/docs/images.md).

content/faq/should-we-spin-up-a-VPN.md

@@ -0,0 +1,21 @@
+---
+title: "Should we spin up a VPN?"
+description: "If absolutely necessary, we provide a robust chart for OpenVPN with SSO integration and short-lived client certificates."
+tags:
+- VPN
+- Identity-Aware Proxy
+- Cloudflare
+- cluster
+---
+
+## Question
+
+Should we spin up a VPN or rely solely on the Identity-Aware Proxy?
+
+## Answer
+
+Previously, we would spin up OpenVPN + OAuth 2 to grant remote access. However, this method is no longer recommended with the advent of Identity-Aware Proxies (IAPs). We've been using the Bitly OAuth2 proxy. However as of June 2018, this is EOL and no longer maintained by Bitly.
+
+We're now embracing Cloudflare Access (aka Argo) IAP, which works by installing an ingress in your cluster that punctures out through the firewall to the Cloudflare edge. Cloudflare can then route traffic back to your cluster. This is an incredibly secure strategy where the cluster never requires direct exposure. Cloudflare supports multiple means of authentication, including SAML.
+
+That said, if a VPN is absolutely necessary, we provide a [robust chart](https://github.com/cloudposse/charts/tree/master/incubator/openvpn) for OpenVPN with SSO integration and short-lived client certificates.