Skip to content

Base Services

What Karrots provides in a New Cluster

Base Services Inventory

  • Ambassador Edge Router (Envoy north-south traffic routing)
  • Istio (east-west micro-services routing)
  • Flux/Helm-Operator (Gitops)
  • Vault
  • Cert-Manager (Automated TLS cert generation via Let's Encrypt)
  • RBAC-Manager
  • Bitnami Sealed-Secrets

Organization-Specific Services

  • Bring up services from your central Gitops/Flux repo/branch/path
  • Bring up services from your cluster-specific Gitops/Flux repo/branch/path

Security Posture

  • Creates an EKS, GKE or Azure service account that owns the cluster
  • Creates EKS, GKE or Azure IAM roles and policies owned by the cluster's service account
  • RBAC integration with the cluster's IAM roles and policies
  • mTLS for all traffic internal and external
  • Application-level secrets encryption using Vault
  • Encrypt external secrets stored in git using the Sealed-Secrets private RSA key
  • Vault-generated temp tokens
  • Highly restricted external access to nodes and services
  • A bastion with SSH key management that can issue Vault temp tokens for kubectl access
  • Customizable network policies to segregate application groups
  • Node isolation groups
  • Namespace segregation (that shuns the default namespace to force considered security practice)

Network Topology

  • Standalone sub-domain: [subdomain].[your-domain].com
  • Installs an NS record into your primary domain so the cluster is world-routable
  • Automated (ACME) self-refreshing TLS termination at the load balancer
  • User-selected cluster controller class: Zone, MultiZone or Regional

Resource Management

  • User-defined application class types. E.g. big, little, ram-y, spot-y, etc.
  • User-defined node class types. E.g. big, little, ram-y, spot-y, etc.
  • User-defined node pools based on user-defined application class types above
  • User-defined autoscale policy
  • Automatic application of taints to nodes, services, statefulSets, deployments and pods to keep workloads "in their lane"
  • Tags all resources to track them in billing