Register for our next webcast - securing containers and Kubernetes with StackRox Save My Seat >
{ .link_text }}

EKS vs GKE vs AKS - June 2020 Update

In February, we published an article providing side-by-side comparison between the managed Kubernetes offerings of the three largest cloud providers: Amazon’s Elastic Kubernetes Service (EKS), Azure Kubernetes Service (AKS), and Google Kubernetes Engine (GKE). The Kubernetes ecosystem changes rapidly, as do the feature sets of these managed platforms. This post covers important updates to these services made since our original comparison and our April and May updates.

Kubernetes Version Support Matrix

VersionAKSEKSGKEKubernetes
1.18previewX
1.17previewRapid ChannelX
1.16XdefaultXX
1.15defaultXX
1.14XXdefault
1.13deprecated

Azure Kubernetes Service

Kubernetes 1.18 Now in Preview

AKS adds preview support for Kubernetes 1.18 less than two months after that version’s release.

Kubernetes Dashboard Becomes Optional

All AKS clusters currently have the Kubernetes Dashboard installed by default with no option for customers to remove it. The Dashboard requires a great deal of effort to secure properly and can still be prone to issues.

Starting with AKS clusters which use Kubernetes 1.18, the Dashboard becomes optional.

Gartner Report | 12 Things to Get Right for Successful DevSecOps

Download Today
Optional Paid SLA Uptime

Until now, the control plane for AKS clusters had been free, but it also had only a best-effort Service Level Agreement (SLA) of 99.5%, with no financial backing in case of lost availability. AKS customers can now opt for a financially-backed control plane SLA of 99.9% for regional clusters and 99.95% for clusters deployed to use Azure Availability Zones. The cost for either cluster type is $0.10/hour, the same as GKE and EKS clusters.

Admission Controller Enforcement

Kubernetes Admission Controllers offer powerful policy and best practice enforcement for clusters by dynamically evaluating requests to the cluster’s Kubernete API service and rejecting those which do not meet configured criteria. However, a misconfigured or buggy admission controller can wreak havoc in a cluster if it interferes with the creation and management of critical cluster services.

AKS clusters now have an Admissions Enforcer which excludes resources in the kube-system namespace from admission controller evaluation by default.

Azure Policy Upgraded to OPA Gatekeeper v3

Azure Policy for AKS, which provides policy enforcement by using a cluster admission controller built on Open Policy Agent Gatekeeper, has been updated from Gatekeeper version 2 to v3. Still in preview, the updated Azure Policy for AKS currently only supports pre-defined policies, although plans exist to support user-created policies.

Amazon Elastic Kubernetes Service

EKS Now Available in GovCloud

EKS can now be deployed in all AWS GovCloud regions.

Google Kubernetes Engine

As a reminder, Google Cloud will start charging for GKE cluster control planes beginning June 6.

Kubernetes Version 1.16 Now in Regular Release Channel
Container Threat Detection Now in Beta

The Container Threat Detection service monitors customers containers in GCP for hints of malicious activity, including the use of binaries and libraries that were not part of the runtime container image, and for shell activity from a remote network connection socket.


Categories: