Compliance in the Cloud: Compliant Kubernetes vs OpenShift

Compliance in the Cloud: Compliant Kubernetes vs OpenShift

OpenShift is a Kubernetes distribution by Red Hat tailored for enterprise needs. Compliant Kubernetes is an open source Kubernetes-based distribution for regulated industries. It includes features to ensure compliance with SOC 2, PCI DSS, HiPAA, GDPR, and ISO 27001. Which are the similarities and differences, and why should businesses in regulated industries choose Compliant Kubernetes over OpenShift?

OpenShift: the project and product offerings

OpenShift is both an open source project, and a product with enterprise support. The open source project or “origin community distribution” is called OKD. The enterprise product is OpenShift Container Platform (OCP). It comes with different enabled and supported feature sets depending on how much of it one pays to license.

The overview image from the OpenShift product documentation shows these as follows:

So, depending on how much you pay for, you will either have just the lower “OpenShift Kubernetes Engine” (OKE) or “OpenShift Container Platform” (OCP). The latter comes with a more full feature set. Finally, Advanced Cluster Manager is available only to customers that pay an even higher licensing cost.

The intended use cases for OpenShift aligns with those for large enterprises in various industries. So while OpenShift offers a wide range of services as part of the platform, it would not be accurate to say that it is tailored toward any particular industry. Red Hat also does not market it as such.

OpenShift case studies show, however, that it is used in regulated industries. But is it the best choice?

Compliant Kubernetes: project or managed service

In contrast, Compliant Kubernetes is specifically tailored to meet the particular demands that regulated industries face on a daily basis as part of the entire application development and operations lifecycle. Such industries include financial and medical technology (fintech and medtech), where non-compliance with standards such as SOC 2, PCI DSS, HiPAA, ISO 27001 is simply not an option. Compliance is a permission-to-play requirement.

Compliant Kubernetes, the open source project

Compliant Kubernetes is an open source distribution of Kubernetes, in combination with supporting software that provides key additional features on top. This way, it extends the power of Kubernetes to offer features such as access control, observability, security, and operational ease with automation. Each of these are key for various aspects of regulatory compliance. An overview is given below:

This functionality comes from a set of included software, some of which is included in the following image from the compliance page of the documentation:

Compliant Kubernetes as a managed service

Compliant Kubernetes is developed primarily by Elastisys, a Swedish company with a mission to accelerate innovation in regulated businesses using cloud-native technology. As part of their overall managed service offering, which includes platform services such as databases and message queues, Elastisys also offers a managed Compliant Kubernetes service on top of the compliant cloud providers shown in the image above. This lets customers choose cloud providers under either US or EU jurisdiction, a key requirement for GDPR compliance now after the Schrems 2 ruling. The managed service offering includes 24/7 support and enterprise-grade SLAs.

Feature comparison

Let’s compare the platforms based on requirements placed upon regulated industries by common laws and standards like GDPR, PCI-DSS, HIPAA, ISO-27001, SOC-2 etc.

The following table summarizes the differences:

Now let’s go over these in a little more detail.

Access control

In this category, the platforms offer similar functionality. Role-based access control (RBAC) ships with Kubernetes itself for the Kubernetes API, and it can integrate with OpenID Connect providers. Both platforms ship such a provider, and they both support federated identities such as LDAP or Active Directory. Both platforms also use this provider for single-sign-on functionality to the rest of the platform features.

Observability

Both distributions ship with Elasticsearch and Prometheus for logging and monitoring, and their associated Kibana and Grafana dashboarding softwares. These choices enjoy broad community support, are familiar to operations teams, and enable deep inspection of both the platform and deployed applications.

Compliant Kubernetes is ahead of OpenShift in that it ensures that not only is log data stored in a tamper-proof manner (a compliance requirement for audit logs), it also ships with log retention times chosen to be in compliance with regulatory requirements.

Security

Both platforms ship with a restrictive PodSecurityPolicy in place, which for instance by default forbids deployed application Pods from running with administrative privileges. This greatly reduces the attack vector against deployed services.

Compliant Kubernetes takes security more seriously than OpenShift in several important manners that are key for regulatory compliance. Both projects ship with an internal container registry, but only Compliant Kubernetes performs vulnerability scanning in the container images. This helps catch known vulnerabilities, and policy can even mandate that containers with vulnerabilities may not be deployed to the cluster.

Compliant Kubernetes also ships with an intrusion detection system, which protects against unknown vulnerabilities. If a piece of software suddenly starts misbehaving, which could indicate that it has been breached, such violations will be logged and the software can be terminated.

For additional protection, Compliant Kubernetes also integrates with container sandboxing technology. This adds a layer of protection on the operating system level, such that only pre-approved syscalls are permitted. If a hacker breaches application software, there will then still be a strict limit to what mischief they can perform.

Network security

Regarding network security, OpenShift ships with an incomplete Network Policies implementation by relying on vSwitch. Compliant Kubernetes uses Calico, the leading Container Networking Interface provider with support for large-scale networks spanning across private and public clouds. It was also recently updated to support blazingly fast speeds by using the eBPF feature in modern Linux kernels.

Cryptography-wise, OpenShift does not ship with a convenient method for automatically managing certificates of publicly accessible services. Thus, your operations team will have to manage certificates manually, which for compliance requires rotating them frequently. In contrast, Compliant Kubernetes ships with cert-manager, which can either use your existing x509 certificate chain automatically or dynamically obtain ones using Let’s Encrypt. This automation reduces certificate handling significantly, and keeps applications more secure.

Operations

Both projects release new versions approximately quarterly. This tracks the upstream Kubernetes release schedule. 

OpenShift does not ship with a specific backup solution, Compliant Kubernetes does. In Compliant Kubernetes, Velero enables cluster backups, which helps meet disaster recovery requirements mandated by most regulatory standards.

Although both projects are Certified Kubernetes distributions, OpenShift very clearly incentivises operations teams to use their own distribution-specific command line tooling. Compliant Kubernetes uses standard Kubernetes operations tools, which makes it easier to hire experienced personnel and to get a good return on investment with Kubernetes certification and training, rather than OpenShift-specific ones.

OpenShift ships with a CI/CD system, whose value proposition is that it enables easier application deployment. To gain that value, teams must shape their release processes around this tool. Because such processes are often central to application delivery and operations in organizations, Compliant Kubernetes does not impose a specific tool upon its users. Instead, Compliant Kubernetes offers a container registry to which your existing CI/CD tooling can push container images, after which your release processes can take place.

Summary

In this article, we discussed similarities and differences between OpenShift and Compliant Kubernetes with regard to what matters for regulated industries. The projects are similar in that they both extend the Kubernetes platform with software to make a more complete service offering. Key differences exist in how well they support the regulatory requirements that fintech and medtech companies must be in compliance with. Compliant Kubernetes clearly offers more security-related features than OpenShift, and better supports operational staff in disaster recovery situations.

Compliant Kubernetes is an open source project that can be installed and self-managed on private on-site infrastructure or at public cloud providers, both under US or EU jurisdictions. Companies that would prefer to lean on a managed service offering can turn to Elastisys for the Managed Compliant Kubernetes offering. Elastisys also offers other managed cloud-native services, such as databases and message queues, to offer a comprehensive platform for future generation applications in regulated industries.