Introduction
DISCLAIMER: IC Cloud Support is currently in Tech Preview, and is not recommended for production workloads. We are actively working towards full support (GA) for this functionality.
Rancher Government Solutions now enables the native deployment, provisioning, and management of clusters on Intelligence Community Cloud Regions. This added functionality is unique to the Rancher Government product.
What does this mean?
Rancher Government enables Carbide customers to use the Rancher Manager User Interface (UI), a Helm Chart, and/or Fleet (GitOps) to deploy, provision, and manage RKE2 and K3S clusters in IC cloud regions. The tech preview currently supports AWS EC2 Instances, in classified region C2S.
Rancher Government Solutions actively tests and validates this configuration through regions in AWS GovCloud and Sequoia Combine (Classified Cloud Region Emulator).
By supporting the provisioning of clusters onto the same AWS account that Rancher is running in, Day 2 Operations such as identity and access management (IAM) are greatly simplified. This allows for a seamless experience in any environment.
Challenges
At a high level, the IC Cloud Regions introduce significant complexities and challenges to deploy, provision, manage, and maintain infrastructure.
- Temporary Credentials: Short Lived Credentials, typically valid for less than an hour (STS Tokens)
- Additional Requirements: such as providing CA Bundles, HTTP Proxies, etc…
- Controlled Security Access: Limited IAM Roles/Policies/Permissions and IAM Permission Boundaries
- Limited Service Availability: Subset of AWS Services are available and have limited features
- Unique Regions and Service Endpoints: Regions and Service Endpoints are unique per environment
- Separation of Duties: Unknown requirements and each customer imposes various changes to the above list of challenges and require human in the loop procedures and processes
Rancher Government reduces these complexities by utilizing assumed IAM roles, providing compatibility with tools such as load balancers and EBS volumes, and enhancing Day 2 operations for managing your Kubernetes infrastructure.
Comparing Imported & Rancher-Provisioned Clusters
Utilizing Rancher provisioning in IC Cloud Regions allows you to take advantage of additional cluster management features.
| Feature/Functionality | Imported Cluster | Rancher-Provisioned Cluster |
|---|---|---|
Cluster Access with kubectl or kubeconfig | ✓ | ✓ |
| Cluster Access Management (RBAC) | ✓ | ✓ |
| Managing Projects, Namespaces, & Workloads | ✓ | ✓ |
| Managing Persistent Volumes & Storage Classes | ✓ | ✓ |
| Use of Rancher App Catalog(s) | ✓ | ✓ |
| Configuring Infrastructure Tools (Monitoring, Logging, Istio, etc.) | ✓ | ✓ |
| Managing & Running Security Scans | ✓ | ✓ |
| Modifying Cluster Configuration | ✓ | |
| Automated Cluster Kubernetes Version Upgrades | ✓ | |
| Cluster Node Management (Adding/Removing/Scaling) | ✓ | |
| Cluster Node Access via Shell (SSH) | ✓ | |
| Automated Cluster Certificate Rotation | ✓ | |
| Automated Cluster Encryption Key Rotation | ✓ | |
| Ability to Snapshot, Backup, & Restore | ✓ | |
| Configuring PSS/PSA/PSP | ✓ |
Future State
As Rancher Government Solutions works towards general availability (GA) of IC Cloud Support, we seek to achieve parity between commercial and IC cloud regions. We plan to augment the current state in the following ways:
- Principle of Least Privileged Access: Pod Level Permissions vs Node Level Permissions
- Reducing Implementation/Migration Burden: Utilizing Rancher Manager UI Extensions (i.e STIGATRON)
- Additional Functionality: Carbide Provisioning for all supported drivers (i.e. AWS EKS)
If you have additional feedback, please submit issues to our GitHub or contact support.