In February, we published an article providing side-by-side comparison between the managed Kubernetes offerings of the three largest cloud providers: Amazon’s Elastic Kubernetes Service (EKS), Azure Kubernetes Service (AKS), and Google Kubernetes Engine (GKE). The Kubernetes ecosystem changes rapidly, as do the feature sets of these managed platforms. This post covers important updates to these services made since our original comparison and our April and May updates.
Kubernetes Version Support Matrix
Azure Kubernetes Service
Kubernetes 1.18 Now in Preview
AKS adds preview support for Kubernetes 1.18 less than two months after that version’s release.
Kubernetes Dashboard Becomes Optional
All AKS clusters currently have the Kubernetes Dashboard installed by default with no option for customers to remove it. The Dashboard requires a great deal of effort to secure properly and can still be prone to issues.
Starting with AKS clusters which use Kubernetes 1.18, the Dashboard becomes optional.
Optional Paid SLA Uptime
Until now, the control plane for AKS clusters had been free, but it also had only a best-effort Service Level Agreement (SLA) of 99.5%, with no financial backing in case of lost availability. AKS customers can now opt for a financially-backed control plane SLA of 99.9% for regional clusters and 99.95% for clusters deployed to use Azure Availability Zones. The cost for either cluster type is $0.10/hour, the same as GKE and EKS clusters.
Admission Controller Enforcement
Kubernetes Admission Controllers offer powerful policy and best practice enforcement for clusters by dynamically evaluating requests to the cluster’s Kubernete API service and rejecting those which do not meet configured criteria. However, a misconfigured or buggy admission controller can wreak havoc in a cluster if it interferes with the creation and management of critical cluster services.
AKS clusters now have an Admissions Enforcer which excludes resources in the
kube-system namespace from admission controller evaluation by default.
Azure Policy Upgraded to OPA Gatekeeper v3
Azure Policy for AKS, which provides policy enforcement by using a cluster admission controller built on Open Policy Agent Gatekeeper, has been updated from Gatekeeper version 2 to v3. Still in preview, the updated Azure Policy for AKS currently only supports pre-defined policies, although plans exist to support user-created policies.
Amazon Elastic Kubernetes Service
EKS Now Available in GovCloud
EKS can now be deployed in all AWS GovCloud regions.
Google Kubernetes Engine
As a reminder, Google Cloud will start charging for GKE cluster control planes beginning June 6.
Kubernetes Version 1.16 Now in Regular Release Channel
Container Threat Detection Now in Beta
The Container Threat Detection service monitors customers containers in GCP for hints of malicious activity, including the use of binaries and libraries that were not part of the runtime container image, and for shell activity from a remote network connection socket.