The Elastisys Tech Blog


Privacy Shield is void: Time to re-prioritize multi-cloud Kubernetes?


In a decision commonly called Schrems II, the EU Court of Justice ruled that the Privacy Shield is void. This means that US companies operating in the EU no longer enjoy the automatic right to transfer EU citizens’ data into the US. The fundamental reason is a conflict between the EU’s strong data protection rights (à la GDPR) and the US’s strong national security needs. While Standard Contractual Clauses (SCC) were still ruled valid, the Schrems II ruling sent cross-Atlantic cloud computing into long-term uncertainty: Will EU data eventually need to stay inside the EU’s border, perhaps even under EU judicial control?

These issues are not new to our customers. Even before Schrems II, national sentiments required some of our customers to keep data within a certain country. Others made it a Unique Selling Point (USP) to outperform required regulation and keep data geographically close to their users. Moreover, some healthcare companies need to run their application both on-premise and as a SaaS, depending on their evaluation of shared responsibility. These use-cases highlight the need for a cloud-agnostic or even multi-cloud strategy.

How can Kubernetes help?

Kubernetes and Cloud Native technologies promise to decouple the underlying infrastructure from the application. Thus, it should be trivial to move a Cloud Native application between public clouds to private clouds or even bare-metal servers.

“Cloud-native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds.” (Cloud Native Computing Foundation)

However, this application-side simplicity pushes the complexity of dealing with the infrastructure onto Kubernetes in two ways. First, under the hood, Kubernetes needs to be packaged and configured with a specific cloud provider, a component that abstracting away the underlying infrastructure, e.g., how to mount a Persistent Volume. Second, as the saying goes, “Kubernetes is a powerful engine, but you still need to build a car around it”. Each major cloud provider, such as AWS, Google or Azure, provides their own Kubernetes distribution. Said distribution is tightly integrated with the provider’s identity access management, container registry and logging solution. Other Kubernetes distributions are slightly less coupled to provider-specific services, but are still focused on major US cloud providers.

So does staying in the EU mean no Kubernetes?

Of course not! Kubernetes can be configured not only to run on private clouds built on top of OpenStack, CloudStack or VMware, but also on bare-metal servers. Provider-specific services can be replaced with open-source solutions, such as Dex for identity management, Elasticsearch for logging, Prometheus for metrics and alerting, and Harbor for container registry.

Carefully integrating all these components can lead to a Kubernetes setup that is truly cloud agnostic. The engineering team gets the same experience, no matter if the application runs on a big US cloud provider or on a quality EU cloud provider. Even if the current plan is to run in a single cloud, a cloud agnostic strategy reduces uncertainty, by facilitating a future migration to a different cloud provider or a future multi-cloud setup.

With even more care, the Kubernetes setup can pass stringent requirements of regulated industries, such as healthcare. For example, Harbor can be configured with integrated image vulnerability scanning. OpenPolicyAgent can be added to enforce policies, such as container images should only be downloaded from the local Harbor. Finally, Elasticsearch can run in a separate environment for tamper-proof logging. 

Unfortunately, doing all these from scratch can become a time consuming and costly adventure.

Compliant Kubernetes

To help our customers run their application effortlessly across multiple clouds, Elastisys developed Compliant Kubernetes. The distribution supports multiple cloud providers, including AWS, GCP, OpenStack and CloudStack, with Azure and VMware to come. It also comes fully equipped with identity, tamper-proof logging, vulnerability scanning and backups. Together with many other features, it significantly reduces the compliance burden for regulations, such as GDPR and HIPAA.

Compliant Kubernetes is available as open source software, with Elastisys providing support. In addition, Elastisys partnered with many EU cloud providers, such as Exoscale, SafeSpring or CityCloud, to offer Compliant Kubernetes as a managed service. A managed service is desirable for allowing in-house resources to focus on core business development.

In brief, Compliant Kubernetes is a single Kubernetes distribution that allows the same application to run in multiple clouds. A multi-cloud or cloud-agnostic strategy is an effective solution for uncertainty around the future implications of Schrems II, and the fall of PrivacyShield.

Contact us to find out more!