ra2 studio - Fotolia
A new version of Rancher Labs' Kubernetes management software delivers security certification and multi-cloud management features that are sought after by its customers, but the container orchestration specialist faces fresh competitive challenges as large IT vendors begin to erode its multi-cloud management lead.
Rancher Kubernetes 2.5 stays a step ahead of most enterprise Kubernetes platforms by beginning to incorporate the advanced features included with third-party Kubernetes clusters. Previous versions could import multiple clusters from various sources and manage them centrally, with some additional features such as unified user authentication. But as cloud providers' managed services added more native features, such as user control over individual node pools in Amazon EKS, Rancher didn't include them. That approach no longer made sense.
"Kubernetes is the same [across clouds], but all the other enhancements people are adding may be different," said Sheng Liang, CEO of Rancher. "The easiest thing to do would be treat [cloud provider Kubernetes services] as dumb, and make sure people use all of your stuff, but that's not what's required or what customers want."
Gopi BalasingamDirector of IT operations, MPAC
Beginning with Amazon EKS, advanced features from public cloud managed Kubernetes services will be preserved when they're imported with Rancher. Users can dig into advanced features of EKS such as node pool management and rolling upgrades, and similar support is planned for Google's GKE and Microsoft Azure's AKS.
Rancher 2.5 also renews the value-add features it adds to Amazon EKS, such as CIS (Center for Internet Security) benchmarking, support for Istio service mesh, and integration with the open-source Gatekeeper Kubernetes ingress controller.
One Rancher user hailed the advancements.
"With [version] 2.5 they're bridging the gaps quite a bit with [features] we were asking for," said Gopi Balasingam, director of IT operations at the Municipal Property Assessment Corporation (MPAC) in Pickering, Ontario, which has used Rancher Kubernetes and Amazon EKS together since June.
Previously, some EKS management tasks required a separate login to the AWS Console. "The single pane of glass [with EKS] is huge," Balasingam said.
Rancher Kubernetes brushes up security bona fides
The 2.5 release cycle also includes RKE-Government, a specialized version of Rancher Kubernetes Engine, the Kubernetes distribution created by Rancher which is certified as compliant with Federal Information Processing Standards (FIPS). These are a series of certifications that for tools such as Rancher largely center around integrations with third-party encryption tools, Liang said.
Little has technically changed to earn the FIPS certification for RKE-Government, according to Liang, though it validates previous security feature updates to Rancher Kubernetes such as CIS benchmarking, and support for audit logging. Eventually, RKE-Government features will be added to RKE so there's no separation between the hardened version and the default, Liang said.
Still, the certification is important to users such as MPAC, which is subject to strict regulation by the Canadian government. In fact, Rancher's security features such as centralized multi-cluster role-based access control were the most compelling factor in MPAC's decision to sign on as a customer rather than continue to use open source kops for Kubernetes management earlier this year.
In the past, Rancher provided templates and scans that provided evidence clusters were secure according to NIST, CIS and Department of Defense standards, but FIPS certification goes a step further, Balasingam said.
"Now that we have a vendor coming in saying this is hardened and specially built for government, it's [showing auditors that it's] not just what I think is the best container security," Balasingam said. "And every release that comes out will meet that standard -- that's been the challenge. One release, it's hardened, but then the next one puts the onus back on to us."
Rancher, SUSE face down IT goliaths
Rancher isn't alone in offering FIPS certification within a Kubernetes platform -- Red Hat OpenShift supports FIPS encryption modules starting with version 4.3, released in January, and VMware Tanzu Application Service for VMs (previously known as Pivotal Cloud Foundry), has FIPS-certified elements, though not yet for the Tanzu Application Service for Kubernetes, which remains in beta.
Rancher has a head start in multi-cluster management across multiple clouds, while Red Hat and VMware have only recently begun to embrace such architectures, said Gary Chen, an analyst at IDC, but will be challenged as never before to integrate with new parent company SUSE, whose July 2020 acquisition bid has not yet closed, and face off with those vendors' powerful global sales forces.
"Rancher has the most functionality, but it's still a big question whether that will be enough of a value proposition to capture customers long-term," Chen said. "Rancher is innovative and good in the community, but it's still going up against giants now."
SUSE broadens Rancher's sales and marketing resources as an older, larger company, but has been through its own share of upheavals, including a spinoff from parent company Micro Focus International and acquisition by a private equity firm in 2019.
"This was a great acquisition for SUSE," Chen said. "They really needed to do something to boost their core platform business, and they'll give Rancher a bigger channel, but they're still relatively small [compared to IBM and VMware] and in the midst of their own transformation."