Tackling security compliance and security threats, boosting citizen trust and experience across all government services while managing costs is altogether a long and challenging process for agencies, system integrators, and vendors trying to launch new information systems to the government. Digital technology, digital services platform, or, more specifically clouds and containers can elevate government operations to support and overcome the challenges a government face in an increasingly complicated environment.
As you know, Kubernetes: a Platform-as-a-Service (PaaS) on public cloud and a container orchestration system, can and have contributed to developing Government-as-a-Platform (GaaP) to hoist agile, scalable, reliable, and secure government services. Therefore, I’m bringing this article to you to explain how and what can Kubernetes contribute differently to the government.
Kubernetes as a Container Orchestration System
Azure Government is a leading cloud solution for hosting United States government applications. Microsoft presents three options on its Azure Government, namely: Azure Container Service (ACS), Azure Kubernetes Service (AKS), and ACS-Engine.
Today, Microsoft recommends AKS as the number one solution for federal, state, and local agencies, narrowing down from their ‘multiple orchestrators’ model to ‘Kubernetes as the only orchestrator’ model. As said by the Microsoft Azure team, it is because Kubernetes: as a container orchestration system, brings the following features into the solution.
- Scaling out and maintaining containers
- Networking and load balancing
- Service discovery
- Secret Management
- Interface with the cloud provider
For easy explanation and better understanding, I will explain Kubernetes applicability as a container orchestration system and a compliance and governance framework for governments, walking through the same above features.
SIN 518210C Cloud Senior DevSecOps Consultant$143.62 / Per Hour
SIN 518210C Cloud Senior Microservices Consultant$129.41 / Per Hour
SIN 518210C Cloud DevSecOps Engineer I$71.79 / Per Hour
Scaling out and maintaining containers
The government technology seems to lag in scalability for past years, because of their silos structure for application development, infrastructure management, and service operation. However, the breakthrough of container technology along cloud technology could automate efficient government processes with scalability, without having to fear about breaching security, traceability, and accountability to the public.
Irrespective of the application environment, one of the main challenges government organizations face is how to scale applications to keep up with user demands at the increasing traffic. Kubernetes offer an Autoscaling feature: Cluster Autoscaling along Horizontal Pod Autoscaler to dynamically adjust the load, to meet public user demand. Therefore, under such traffic, pods will be created and scheduled to nodes, consuming only available resources while distributing traffic over the multiple instances of applications running on newly created nodes.
Networking and load balancing
However, when running multiple instances of an application in different nodes, there should be a mechanism to distribute the cumulative load among them. Kubernetes ‘Service’ resource distributes network traffic to all Pods, acting Services as a load balancer for exposed deployments. Also, as the number of pods scale in and out to cater to the traffic, Services monitor and ensure that traffic is sent only to available pods at the moment. Therefore, Services are the Kubernetes’ abstraction layer for providing network connectivity to pods that work uniformly across clusters.
Service discovery is the process in Kubernetes to figure out how to connect to a service. With Kubernetes, it doesn’t matter whether your application is cloud-native or non-native for service discovery.
If your application is cloud-native, you can use Kubernetes APIs for service discovery. Then you can query the API server for Endpoints that get updated, whenever the set of Pods in a Service changes. But, if you’re using non-native applications, Kubernetes offers ways to place a network port or load balancer in between your application and the backend Pods. However, in the end, the application elasticity feature doesn’t resurrect the application reachability (either internally or externally) because of the Kubernetes service discovery feature.
Kubernetes Secrets are objects which store sensitive information such as passwords, SSH keys, and OAuth tokens. There are built-in Secrets, which get automatically created in the system containing credentials for accessing the API. Or else, users can create Secretes manually. The Secrets concept provides extra security rather than storing credentials in a pod definition or a container image. So that the credentials will not be inadvertently exposed to every user. Also, it simplifies credential updates and administration. Secrets can be access-controlled to specific namespaces and are base64 encoded with the encoding and decoding process built-in to Kubernetes.
However, depending on your application environments, there is also a range of Kubernetes compatible Secret management applications to add an extra layer of security and privacy, which I’m also recommending to apply because government agencies are dealing with massive sets of sensitive citizen information.
Interface with the cloud provider
Kubernetes has a Cloud-Controller-Manager that decouples the interoperability logic between Kubernetes and the underlying cloud infrastructure. This component gives flexibility for the cloud providers to release features at a different pace compared to the main Kubernetes project. Cloud-control-manager operates in a pluggable fashion allowing different cloud providers to integrate their platforms with Kubernetes. As a result, cloud providers such as AWS, Azure, and Google have developed their cloud solutions for government agencies embedding additional features and enhancing available features.
Kubernetes as a Governance and a Compliance Framework
Government organizations and agencies more than any other IT or business organization need applications, infrastructure, and technology to be running on robust Governance, Compliance, and Operational frameworks. Considering those requirements, Kubernetes enables agencies to build comprehensive governance, compliance, and operational frameworks around it.
Authentication, authorization, and access control are key elements of any governance and compliance framework for user management and resource utilization. Kubernetes supports various authentication methods and protocols ranging from X509 client certificates and static token files to service account tokens and OpenID Connect tokens providing the freedom for agencies to implement suitable authentication rules to their environment.
For authorization, Kubernetes RBAC supports the creation of authorization rules packaged as Roles to access control and use Kubernetes resources in compliance with governance frameworks. Other than that, Node and Webhook authorization modules also support Kubernetes.
In addition to the above authorization and authentication modules, Kubernetes Admission Controllers provide a filtration layer for API requests. Kubernetes Admission Webhooks gives agencies the versatility to integrate custom governance and compliance policies based on their administration model. Therefore, Kubernetes can define the rules of governance and compliance policies needed for government agencies.
AWS GovCloud and Amazon Elastic Kubernetes Service
Having explained above how and what Kubernetes brings into government, let us see an example for Kubernetes applied on a government cloud platform.
AWS GovCloud is an isolated and dedicated AWS cloud platform for only US government agencies including US government contractors, US military and defense institutions, US educational and research institutes, and many more. AWS GovCloud is designed to support US government compliance requirements such as ITAR and FedRAMP.
Amazon has recently introduced Amazon EKS: a managed Kubernetes service to AWS GovCloud. Thereby providing the opportunity to run Kubernetes on AWS without needing to install, operate, and maintain separately the Kubernetes control plane on GovCloud. This has given the US government agencies to transit into DevSecOp initiatives and containerization seamlessly.
Final Thoughts on what Kubernetes does for Government
Kubernetes is open-source. Therefore, the unsupported community project code can be downloaded and used by government agencies and apply on to their environment. But, there are many third-party managed services such as Amazon Elastic Kubernetes Service (Amazon EKS), Azure Kubernetes Service (AKS), and Google Kubernetes Engine (GKE) which are providing complete and seamless DevSecOp government solutions. Therefore, the government IT managers can easily bring about the power and capabilities of what Kubernetes does for Government if planned and invested properly without unnecessary resources.