Your Kubernetes cluster has basic functionality and comes with optional managed services that provide extra features.
Rackspace KaaS uses the
kube-system namespaces in
Kubernetes for managed services. Do not modify any resources in these namespaces.
Rackspace KaaS provides the following optional managed services:
- Custom cluster hardening
- SSL Certificate management
- External DNS management
- Ingress management
- Integrated Authentication
- Container image registry
- Kubernetes Dashboard
Custom cluster hardening#
The custom cluster hardening service applies industry best practice hardening to your Kubernetes cluster. This hardening secures your workloads by enforcing Pod Security Policies (PSPs) that prevent privileged workloads from running by default.
For technical details, see Cluster hardening.
SSL Certificate management#
The Secure Sockets Layer (SSL) certificate management foundational service automatically provides SSL certificates for web-based managed services.
SSL certificate management provides automatic SSL/TLS certificate provisioning for your workloads by using Let's Encrypt. This service allows you to programmatically request, deploy, and automatically renew certificates with no financial or operational costs.
For technical details, see Certificate management.
External DNS management#
The external Domain Name Service (DNS) management foundational service integrates with cloud-native DNS, providing a way to reach web-based managed services.
This service synchronizes hostnames for exposed services and ingresses with DNS providers, which allows you to create and update DNS records programmatically from within Kubernetes.
For technical details, see DNS management.
The Ingress controller service configures Nginx services by using Ingress resources. This service enables you to expose services outside of Kubernetes programmatically by using hostnames and paths, and configure HTTP proxying parameters so that you can reach managed services from outside the cluster.
For technical details, see Ingress management.
Integrated authentication consists of two components:
- Kubernetes Access Manager (KAM)
The Kubernetes Access Manager (KAM) is a custom Rackspace component through
which you get secure, cloud-idiomatic access to the
KAM extends Dex, Kubernetes integration, and user onboarding by providing temporary access credentials and kubeconfig files for the cluster. These resources allow your users to retrieve Kubernetes credentials automatically through a secure portal that leverages their Identity Provider credentials.
Customer authentication back-end services, such as ones that use Security Assertion Markup Language (SAML), Lightweight Directory Access Protocol (LDAP), and so on, plug into the single authentication layer foundational service. Use this service for authentication for cluster and managed service authentication.
This service integrates with your Identity Provider, such as Okta, Ping, ADFS, and so on, to provide OpenID Connect (OIDC)-based Single Sign On (SSO). This functionality allows the Rackspace managed services to authenticate your users by using a centralized identity service.
For technical details, see Integrated authentication.
The logging service provides a complete logging stack for Rackspace managed services and customer applications.
Implemented by using tools such as Elasticsearch™, for storage, Fluentd™, for log file ingestion, and Kibana™, for viewing, the logging service integrates with Kubernetes to provide real-time data analytics and system resource utilization statistics of your cloud and your Kubernetes workloads.
For technical details, see Logging.
Container image registry#
The container image registry, Harbor, is a cloud-native, private, on-cluster registry for container images that stores, signs, and scans Docker images. In addition to the public Docker image registry, you can store and manage your own Docker images in a private registry implemented with VMware Harbor. This registry allows your users to upload, share, and collaborate on Docker images and Helm charts by using a private, secure registry.
For technical details, see Image Registry.
The backup service, Velero™, provides a programmatic way to backup, migrate, and restore Kubernetes cluster resources and persistent volumes. This service enables you to configure backup schedules and restorations for Kubernetes components.
For technical details, see Backup.
The monitoring service, Prometheus™, provides a monitoring stack into which you can plug your applications.
For cloud administrators to diagnose and address any issues, production clouds need performance and uptime monitoring. The Rackspace KaaS monitoring stack integrates such tools as Prometheus and Grafana® with Kubernetes to enable Rackspace operators to track the health of your cloud. We provide service and performance monitoring (Prometheus), alerting (Alert Manager), and visualizing (Grafana). These services allow your users to manage monitoring and alerting for their applications programmatically.
For technical details, see Monitoring.
The Kubernetes Dashboard, a web-based user interface, provides access to Kubernetes clusters for RPCO or RPCR. It enables to perform the following tasks:
- Create or modify cluster resources
- Deploy applications to a cluster
- Troubleshoot applications in a cluster
You can also check on the state of your cluster and the resources to identity errors or other conditions.
For technical details, see Dashboard.