Rawpixel - Fotolia

Rancher's Kubernetes updates boost security, UI performance

Enterprise IT pros expect changes to Rancher's Kubernetes management tools to bolster security configuration and UI performance.

Rancher began updates to its Kubernetes management software this month that improve its security configuration process and the performance of its user interface.

Rancher version 2.2.2, rolled out last week, boosts the amount of data the Rancher UI can load at once with the addition of server-side caching and API response compression. These updates are a high priority for large enterprises that use Rancher's Kubernetes product; they have seen delays of up to 30 seconds to load data on hundreds of Kubernetes-based microservices in previous versions.

"We want to have one high-availability Kubernetes cluster and use Rancher to manage everything," said Steven Osborne, senior product development manager at Workiva, a compliance reporting software maker in Ames, Iowa. "We need Rancher to help us grow to that scale and support that customer experience."

Rancher officials believe the caching and data compression features added with version 2.2.2 address most of the UI performance issues, but will continue to fine-tune the UI in future releases.

Rancher version 2.3

Customers also anticipate a better security configuration process in Rancher version 2.3, which will ship in the third quarter of 2019. This update will scan Kubernetes clusters based on Center for Internet Security (CIS) Kubernetes security hardening guidelines, replacing a cumbersome manual process for security-conscious customers with older versions.

"Some of the commands and configurations [specified in the CIS guidelines] don't apply or work right in Rancher's Kubernetes distro," said Matthew Esser, product owner of container services and infrastructure at Viasat, a satellite telecommunications company in Carlsbad, Calif.

Hardening Kubernetes according to CIS guidelines also made the upgrade to Rancher 2.2, which Viasat undertook in March 2019, more difficult, according to Esser.

"Our cluster was too locked down, and the upgrade wasn't prepared to handle how clusters were configured," he said. "Everything was online but the [Rancher] UI didn't work right."

In version 2.3, Rancher will verify that its software will work smoothly with hardened clusters, and add toggles to turn certain features on and off according to their compatibility with CIS guidelines.

"Being able to manage that in the UI would be a huge win for us," Esser said.

Workiva chooses Rancher's Kubernetes over OpenShift, upstream versions

Early Kubernetes adopters debated the merits of upstream Kubernetes versus packaged implementations of the container orchestration software from third-party vendors. Rancher isn't the only game in town for Kubernetes in an enterprise-ready format.

Steven Osborne, WorkivaSteven Osborne

Red Hat OpenShift, the best-known and most widely deployed of packaged distributions, wins praise for its Kubernetes security support through SELinux integration and consistently applied security patches in response to vulnerabilities.

Workiva's Osborne, however, said his company found the Red Hat approach a bit too prescriptive in proof-of-concept tests in 2018. OpenShift supports only OpenShift-managed Kubernetes clusters, while Rancher can import multiple existing Kubernetes clusters based on multiple distributions of Kubernetes and manage them centrally.

"Red Hat had good security features out of the gate, integration with single sign-on features and role-based access controls," he said. "But Rancher didn't have any big opinions on how to run Kubernetes."

Rancher didn't have any big opinions on how to run Kubernetes.
Steven OsborneSenior product development manager, Workiva

Until mid-2018, Workiva had a wholly different strategy from either of the managed Kubernetes products. The company ran its own container clusters in Google Cloud Platform (GCP) and AWS based on a homegrown approach to container orchestration. The team sought a balance between control over container management and freedom for its IT operations personnel to focus on more valuable work to the business. When it became clear that the team's time was spent wrestling with the finer points of distributed systems orchestration, Workiva considered managed Kubernetes services on GCP and AWS, along with Docker Enterprise and OpenShift, before it landed on Rancher's Kubernetes approach and rolled it out in the fall of 2018.

"Rancher lets us optimize bin packing [container placement] within a single cluster that has multiple node groups," Osborne said. Workiva plans to condense all of its services into a single cluster with multiple node groups, and Rancher enables Osborne's team to control Kubernetes nodes, an advantage over the competing managed Kubernetes services.

"It came down to what our SRE [site reliability engineering] and operations team excels at," Osborne said. "They're comfortable running server nodes."

Now that Rancher is set up, the team will open its Kubernetes environment to developers through self-service access to Kubernetes Job objects in 2019.

"In the past, we had an opinionated container infrastructure where we had to build it out first, and now it will be just here for developers to pick which pieces to use," Osborne said. "We can give them direct access, with safeguards."

Dig Deeper on Containers and virtualization