Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Rancher 2.4 Adds Scalability, Management and Security Capabilities

Rancher 2.4 Adds Scalability, Management and Security Capabilities

This item in japanese

Rancher Labs, has released Rancher 2.4 in line with their 'Run Kubernetes Everywhere' strategy. Rancher is a heterogeneous, multi-cluster, multi-cloud Kubernetes management platform.

The new release is focused on providing the scalability, management and security capabilities required to support Kubernetes at edge scale. A headline enhancement is the path to support for one million clusters (currently available in preview). For general availability, the product now supports two thousand clusters and one hundred thousand nodes.

Another enhancement is limited connectivity maintenance with K3s. Designed for cluster management, upgrades and patches where clusters may not have fixed or stable network connection, Rancher 2.4 can kick off an upgrade remotely, but the process is managed on local K3s clusters, allowing users to manage upgrades and patches locally and then synchronise with the management server once connectivity is restored.

Rancher 2.4 also enables zero downtime maintenance, allowing organisations to upgrade Kubernetes clusters and nodes without application interruption. Additionally, users can select and configure their upgrade strategy for add-ons so that DNS and Ingress do not experience service disruption.

Rancher 2.4 introduces CIS Scan, which allows users to run ad-hoc security scans of their RKE clusters against CIS benchmarks published by the Centre for Internet Security. Users can create custom test configurations and generate reports illustrating pass/fail information from which they can take corrective action to ensure their clusters meet security requirements.

Rancher 2.4 is available in a hosted Rancher deployment, in which each customer has a dedicated AWS instance of a Rancher Server management control plan. The hosted offering includes a full-featured Rancher server, delivers a 99.9% SLA and automates upgrades, security patches and backups. Downstream clusters (e.g. GKE, AKS) are not included in the SLA and continue to be operated by the respective distribution provider. Several best practices were followed during the hosted Rancher build, including infrastructure as code (IaC), immutable infrastructure and a 'Shift Left' approach. Packer, Terraform and GitHub were chosen for tooling.

Rancher delivers a consistent Kubernetes management experience for all certified distributions, including RKE, K3s, AKS, EKS, and GKE on-premise, cloud and/or edge.

InfoQ spoke to Sheng Liang, CEO and co-founder of Rancher Labs, about the announcement:

InfoQ: What is 'the edge'?

Sheng Liang: When talking about the edge, people typically mean small and standalone computing resources like set-top boxes, ATM machines, and IoT gateways. In the broadest sense, however, you can think of the edge as any computing resource that is not in the cloud. So, not only do branch offices constitute part of your edge locations, developer laptops are also part of the device edge, and legacy on-premises systems could be considered the data centre edge.

InfoQ: What's the difference between K3s and K8s?

Liang: K3s adds specialised configurations and components to K8s so that it can be easily deployed and managed on edge devices. For example, K3s introduces a number of configuration database options beyond the standard etcd key-value store to make Kubernetes easier to operate in resource-constrained environments. K8s is often operated by dedicated DevOps engineers or SREs, whereas K3s is packaged as a single binary and can be deployed with applications or embedded in servers.

InfoQ: Please can you explain the RKE strategy?

Liang: RKE is Rancher's Kubernetes distribution for data centre deployments. It is a mature, stable, enterprise grade, and easy-to-use Kubernetes distribution. It has been in production and used by large enterprise customers for years. Going forward, we plan to incorporate many of the more modern Kubernetes operations enhancements developed in K3s into RKE 2.0.

InfoQ: Why are people concerned about security in Kubernetes?

Liang: As a new layer of software running between the applications and the underlying infrastructure, Kubernetes has a huge impact on the overall security of the system. On one hand, Kubernetes brings enhanced security by introducing opportunities to check, validate, encrypt, control, and lockdown application workload and the underlying infrastructure. On the other hand, a misconfigured Kubernetes could introduce additional security holes in the overall technology stack. It is therefore essential for Kubernetes management platforms like Rancher to ensure 1) Kubernetes clusters are configured securely (using for example, CIS benchmarks) and 2) applications take advantage of the numerous security enhancements offered by Kubernetes.

InfoQ: What are the typical security requirements a Kubernetes cluster needs to comply with?

Liang: At the most basic level, every Kubernetes cluster needs to have proper authentication, role-based access control, and secret management. When an enterprise IT organisation manages many different clusters, they need to make sure to have centralised policy management across all clusters.  An enterprise IT organisation, for example, can mandate a policy that all production Kubernetes clusters have the necessary security tools (e.g., Aqua or Twistlock) installed. InfoQ: If teams want Rancher hosted on Azure or GCP can they have that? Liang: As open source software, Rancher can be installed on any infrastructure, including AWS, Azure, and GCP. In that case though the users have to operate Rancher themselves. The initial launch of hosted Rancher in Rancher 2.4 only runs on AWS.  We plan to launch hosted Rancher in Azure and GCP in the future.

InfoQ: How is it that Rancher is able to support such a wide range of Kubernetes distributions?

Liang: Rancher is able to support any Kubernetes distribution because Kubernetes is the standard for computing. All Kubernetes distribution vendors today commit to running the same upstream Kubernetes code and to passing the same CNCF-defined compliance tests. Rancher is then able to take advantage of the portability guarantee of Kubernetes to create a seamless computing experience that spans the data centre, cloud, and edge. Rancher does not attempt to create a vertically locked-in technology stack that ties Rancher Kubernetes management with Rancher Kubernetes distribution.

InfoQ: What are the geographies that Rancher is targeting for expansion and how will this happen?

Liang: As an open source project, Rancher is adopted by Kubernetes users worldwide. Rancher today has commercial operations in fourteen countries across the Americas, Europe, Africa, and the Asia Pacific region. Our geographic presence will continue to grow as we generate significant amounts of enterprise subscription business in more countries.

InfoQ: What proportion of enterprise applications currently run on Kubernetes and what's the forecast for growth?

Liang: Despite the rapidly rising popularity of Kubernetes, the proportion of enterprise applications running on Kubernetes is still small among Rancher customers. Rancher customers have reported low single digits percentage of applications running on Kubernetes, which represents tremendous upside growth potential for Rancher.

Download the Rancher 2.4 Technical Architecture Guide here.

Rate this Article