Production-grade Kubernetes Now in an Azure Region near You
• Apr 11, 2018
We’re thrilled to announce that Giant Swarm is now available on Azure. This adds to the support we already have for AWS and on-premise installations and is a feature customers have asked us for a lot of times. This means we can provide Enterprise-ready Kubernetes clusters to our customers that are managed 24/7 by our operations staff. The team has been hard at work building Azure support over several months with the support of our friends at Microsoft and SAP Hybris.
The first workloads we moved to Azure were the Giant Swarm website and our docs site which happened a few weeks ago. For us it’s important to follow an “eat your own dog food” approach - or “drink your own champagne” as Monzo like to call it. By now we also have our first customer installations on Azure.
We provision your Giant Swarm Installation in your Azure Subscription. Each installation has a full control plane for creating and managing your Kubernetes clusters. You can easily create clusters per team, per environment or per customer depending on your needs. This can be done via our web UI, gsctl or our API.
Each cluster has strong isolation from all other clusters. The resources are created in a separate Azure Virtual Network and Resource Group. End-to-end encryption is enabled for all cluster components and each cluster uses a separate PKI infrastructure managed by Hashicorp Vault. Each cluster also has dedicated master and worker nodes running as Azure VMs. This provides much stronger security and resource isolation than using separate namespaces on the same cluster for example.
Each cluster has Kubernetes 1.9 (1.10 coming soon), as well as a fully up to date networking stack including CoreDNS and Calico running in policy only mode for managing your Network Policies. To get the best Kubernetes networking performance we don’t run any overlay solutions (e.g. Flannel with VxLAN or Calico with IPIP tunnels). Instead we use the advantages of native Kubernetes support for Azure User-Defined Routes (Azure UDR).
Security is a key focus for us. All clusters have RBAC (Role Based Access Control) enabled along with appropriate PSPs (Pod Security Policies). We are compliant with the CIS benchmark for Kubernetes which we contributed to the creation of.
The Nginx Ingress Controller is pre-installed on all clusters and is configured with an Azure Load Balancer and DNS records so you can quickly and easily manage your web and API workloads. We use Azure Resource Manager (ARM) templates to provision the Azure resources for each cluster and this is automated by our azure-operator custom controller (we’ll go into more detail on azure-operator in a later post).
Each Resource Group has resource tags so you can easily track costs per cluster, per installation or per organization (a grouping of clusters similar to an organization in GitHub). Lastly, and most importantly your installation and clusters are monitored and managed by our SRE team 24/7.
If you’re already running Kubernetes on Azure, or planning to do so, we’d be pleased to show you how easy this is with Giant Swarm.