Base Services
What Karrots provides in a New Cluster
Base Services Inventory
- Ambassador Edge Router (Envoy north-south traffic routing)
- Istio (east-west micro-services routing)
- Flux/Helm-Operator (Gitops)
- Vault
- Cert-Manager (Automated TLS cert generation via Let's Encrypt)
- RBAC-Manager
- Bitnami Sealed-Secrets
Organization-Specific Services
- Bring up services from your central Gitops/Flux repo/branch/path
- Bring up services from your cluster-specific Gitops/Flux repo/branch/path
Security Posture
- Creates an EKS, GKE or Azure service account that owns the cluster
- Creates EKS, GKE or Azure IAM roles and policies owned by the cluster's service account
- RBAC integration with the cluster's IAM roles and policies
- mTLS for all traffic internal and external
- Application-level secrets encryption using Vault
- Encrypt external secrets stored in git using the Sealed-Secrets private RSA key
- Vault-generated temp tokens
- Highly restricted external access to nodes and services
- A bastion with SSH key management that can issue Vault temp tokens for kubectl access
- Customizable network policies to segregate application groups
- Node isolation groups
- Namespace segregation (that shuns the default namespace to force considered security practice)
Network Topology
- Standalone sub-domain: [subdomain].[your-domain].com
- Installs an NS record into your primary domain so the cluster is world-routable
- Automated (ACME) self-refreshing TLS termination at the load balancer
- User-selected cluster controller class: Zone, MultiZone or Regional
Resource Management
- User-defined application class types. E.g. big, little, ram-y, spot-y, etc.
- User-defined node class types. E.g. big, little, ram-y, spot-y, etc.
- User-defined node pools based on user-defined application class types above
- User-defined autoscale policy
- Automatic application of taints to nodes, services, statefulSets, deployments and pods to keep workloads "in their lane"
- Tags all resources to track them in billing