Compliant Kubernetes or AWS Elastic Kubernetes Service

Compliant Kubernetes or AWS Elastic Kubernetes Service

AWS Elastic Kubernetes Service (EKS) was launched in 2018 to offer a managed Kubernetes control plane. In this context, the control plane in Kubernetes consists of master nodes and the etcd database. The latter stores all information related to your Kubernetes resources, such as Pods, Deployments, and ConfigMaps. The AWS EKS control plane is redundantly deployed across multiple availability zones, and made available to you for a low fee (at time of writing: $0.1 per hour, so roughly $72 per month).

However, just a control plane is not particularly useful in itself. It is not what will host your services. For that, you must deploy Kubernetes workers. In EKS, these will either be Elastic Compute Cloud (EC2) instances or AWS Fargate. Users of AWS Outposts can also let EKS manage those instances.

AWS Fargate is marketed as a “serverless” way of running containers. Thus, on Fargate, you do not have to manage the underlying servers yourself, but pay a larger fee per “compute unit” to have AWS do it for you. With this setup, you only have to provision a Pod in EKS, which will instruct Fargate to host it for you. Alternatively, EC2 instances with the right software installed can be instructed to join an EKS cluster. This lets EKS use them as Kubernetes workers for hosting your services.

The EKS features page lists features that without loss of accuracy can simply be summarized as “well-integrated with AWS services”. This is no accident. Aside from an attractive price point and integration with AWS services, EKS really does not provide any additional features to your Kubernetes cluster.

How does Compliant Kubernetes compare to AWS EKS?

Elastisys Compliant Kubernetes (CK8s) is an open source Kubernetes distribution. It is Certified Kubernetes, which means that official tests ensure that all cloud-native tooling will work on it. A distribution differs from the underlying Kubernetes platform in that it provides additional features by making certain technology choices for you and thus delivers a more complete and cohesive product offering to you.

Compliant Kubernetes is specifically tailored to reduce the compliance burden for companies in regulated industries, such as medtech (HiPAA, PDL), fintech (PSD, FFFS), and general handling of personal information (GDPR, CCPA). We leverage our deep understanding of both technology and compliance standards to produce technological artifacts that help you adhere to all required policies.

Given that EKS really is “nothing more” (not attempting to belittle it!) than a managed Kubernetes control plane with deep integration to other AWS services, it really would not be fair to compare a full distribution to it. So let’s take a look at the entire service offering: what does Compliant Kubernetes offer, and what in the AWS ecosystem of services does that correspond to?

Cloud provider neutral

First of all, installation. Compliant Kubernetes can be installed in your local data center or competing cloud provider of choice. EKS obviously cannot. This is a huge deal for EU-based companies or companies doing business there, due to the July 2020 Schrems II ruling which means that Privacy Shield is void.

Ability to mix and match between on-site and various cloud providers is a huge boon to minimizing risk. Some regulations require that data never leaves certain jurisdictions or that it is processed on systems that are not available over the Internet. Compliant Kubernetes can be installed entirely locally, and does not force you to expose your cluster to the Internet. Compared to the AWS offering, which requires not only Outposts but also Internet access to leverage the AWS ecosystem of services, this is a large plus.

Building and deploying applications

Second, application building and container image hosting. AWS offers a building service (AWS Code Build) and it can optionally encrypt images at rest. But it pretty much stops there from AWS. However, by integrating Docker Notary into Compliant Kubernetes, we can ensure that images are cryptographically signed. The Open Policy Agent (OPA) can then forbid unsigned images from ever being deployed to the cluster.

Once application container images have been built, they should be stored in an image repository. Here, AWS offers Elastic Container Registry (ECR), and Compliant Kubernetes offers an in-cluster Harbor instance. Being in-cluster, your images are safely stored on your own hardware of choice and thus requires no Internet access (and works even in spite of Internet service outage). Unlike ECR, Harbor also performs vulnerability scanning, and thus honors that security is an ongoing process. So Harbor in Compliant Kubernetes is not just a dumb container image registry storage area, but actively looking out for you and giving you warnings when vulnerabilities are discovered.

Security in depth during runtime

Speaking of security, Compliant Kubernetes comes with the Open Policy Agent (OPA), which aside from requiring images to be signed can also be configured to disallow many common mistakes in configuration. Policies are checked and enforced before resources even are seen by the rest of the Kubernetes cluster. Thus, configuration errors that violate policy will never make it into production. AWS offers nothing similar, which is also the reason we often read about exposed misconfigured S3 buckets or DynamoDB instances in the news. Our customers are more careful than that and appreciate the added rail guards that OPA offers.

During application runtime, Compliant Kubernetes offers intrusion detection via Falco. Falco continuously checks that your software behaves as it should. AWS offers nothing like this.

Compliant Kubernetes comes with secure by default settings. EKS, much like unmodified (“vanilla”) Kubernetes, does not. We make sure to always improve the security of the clusters, by adding advanced functionality like sandboxes for containers and setting sensible defaults like Pod Security Policies.

Network traffic: isolation and encryption

Both AWS and Compliant Kubernetes offer automatic certificate handling and rotation, network traffic encryption, and network isolation. However, to get certificate renewals in the case of AWS, you have to trust their proprietary certificate management service to generate and then hold your private key. In stark contrast, with Compliant Kubernetes and its integrated cert-manager, you do not have to trust anyone with the keys to your kingdom. 

Audit and application logs

All AWS services can push logs to CloudTrail, including audit logs. Applications can be made to push logs into it as well. In Compliant Kubernetes, we use Open Distro for Elasticsearch to store both application and audit logs. This way, all application and audit logs are available practically immediately, not just every minute or five minutes, as with CloudTrail. In both cases, storage can be made tamper-proof to adhere to requirements from e.g. PCI DSS.

Monitoring and observability

AWS offers monitoring functionality through its web console via CloudWatch, but it pales in comparison with the power offered by Prometheus and Grafana. The ability to create dashboards, drill down into monitoring data using complex queries, and rapidly gain insight is key to effective software reliability engineering. Compliant Kubernetes comes with this powerful combo by default, and with the Prometheus Alertmanager, which emits alerts when certain conditions arise. This way, on-call operators and application developers can immediately get notifications via for instance Slack or PagerDuty.

Insight into service communication comes from CloudWatch ServiceLens in EKS. Compliant Kubernetes offers integration with the cloud-native ecosystem around distributed tracing via OpenTracing and visualized via Jaeger. Both integrate with the Istio service mesh, an optional add-on to Compliant Kubernetes.

Ongoing operations

Many regulations explicitly require a disaster recovery process. Such processes often rely on backups being in place. Searching for “EKS backup” on Google comes up conspicuously empty. As a managed service, it is perhaps implied that one does not need to back it up. However, Kubernetes veterans know that a lot of important information is stored in the etcd database, and losing it would be disastrous. Compliant Kubernetes regularly performs backups, so that loss of data can be minimized.

Both AWS and Compliant Kubernetes track upstream Kubernetes and publish new versions when the project has made new releases.

Summary

This blog post covers a lot of ground. We have shown the differences between what features Compliant Kubernetes offers you compared to the AWS ecosystem of services, of which EKS merely offers a Kubernetes control plane. Built with the needs of regulated businesses in mind, Compliant Kubernetes users benefit from secure by default choices and great technology. This way, they worry less about their infrastructure, and spend more time developing their applications. To gain even more agility, reduce their compliance burden, and simplify operations considerably, users can rely on Elastisys to provide a fully managed Compliant Kubernetes environment.