alcide

Alcide Blog

Cloud-native Security Provider

Kubernetes-as-a-Service: EKS vs. AKS vs. GKE

May 4, 2020 7:39:14 AM / by Alon Berger

 

Already at the opening of Q2 2020, it is clear that in the race to lead container orchestration, Kubernetes is here to stay, taking its place as the most prevalent open-source system available today for deploying and managing multi-container applications at scale.

With the recent surge in the trend towards development of container-based applications, I thought it would be beneficial to discuss the managed Kubernetes services available today and examine what they offer in comparison with each other.


The following chart breaks down the managed Kubernetes services usage by the top three cloud providers:

 

WhatsApp Image 2020-05-06 at 09.35.50

source: CNCF Survey 2019

 

These statistics, taken from the CNCF Survey 2019, demonstrate how Kubernetes is widely used on managed services platforms, with EKS as the leader followed by GKE.

Many reports assert that moving to a managed cloud platform enables organizations to overcome challenges like large gaps in knowledge and relevant skills, which are still tied closely with Kubernetes adoption today. Shifting to the direction of such platforms may help flatten the learning curve, as most common cloud providers offering fully managed services for Kubernetes are more tailored specifically to your cluster control plane, making it much easier to grasp.

In this article, we’ll look more closely at the leading players in the game:

  • EKS - Amazon Elastic Kubernetes Services (released for general availability in June 2018)
  • AKS - Microsoft Azure Kubernetes Service (released for general availability in June 2018)
  • GKE - Google Kubernetes Engine (released for general availability in August 2015)

Having introduced their offering far earlier than others, GKE (from Google Cloud) was originally the most mature solution available. Now, however, EKS and AKS, along with many others (IBM, DigitalOcean and more) are also available, having stepped up to the challenge. They too are now offering their services and features, each with its own key values and differentiators for container orchestration.

 

Supported Kubernetes Versions

Let’s start with the basics - are all three of these major providers up-to-date with Kubernetes’ latest releases? Spoiler - of course not.

Take a look at this overview of version availability:

 

Screen Shot 2020-05-06 at 12.01.56

 

Basically, all three major providers offer similar levels of support. They only allow previews of their platforms supporting the most recent Kubernetes versions. Somewhat unexpectedly, it’s an entirely different player that offers the broadest offering for newer Kubernetes’ releases and it’s none other than the IBM Cloud Kubernetes Service (IKS), already fully supporting version 1.17.

 

Our research shows, however, that most organizations prefer older, established releases over the bleeding-edge versions, as described on the chart above.

Currently, the default Kubernetes version for both EKS and AKS is 1.15 and for GKE it is 1.14.  

It’s also worthwhile noting that both 1.12 and 1.13 version are deprecated and no longer in the support scope of these three main vendors. 

 

Upgrades and Maintenance

This section puts GKE in the spotlight, as their Kubernetes managed services provide the most automated processes for handling upgrades and maintenance, enabling simple scaling for multi-container apps:

Screen Shot 2020-05-07 at 9.27.22

 

The most noteworthy Kubernetes feature is perhaps its autoscaling, which automatically calibrates relevant resources depending on needs, maintaining high availability for all of your services overall.
Similarly, cloud-based managed services for Kubernetes must be equally highly scalable, computing and provisioning resources as needed.
The scaling abilities offered by GKE are, hands down, the most mature, therefore making it a more reliable choice.

 

Supported Nodes and Container Runtime Features

When choosing an orchestrator, it’s fundamental that you check out the node and container runtime features offered.

You should consider:

  • the flexibility you might need
  • the machines you’re already running
  • additional associated costs you might need to take into account

When checking out node support, you need to take into account the details of the host operating system (Linux or Windows). Here’s a quick breakdown:

  • EKS - Amazon Linux, Ubuntu, Amazon Machine Image (AMI), Windows server and Bring-Your-Own-OS
  • AKS - Ubuntu, Windows Server
  • GKE - Container Optimized OS (COS), Ubuntu, Windows Server

With regards to Container Runtime, all three vendors support Docker, with GKE also supporting containerd. Including containerd automatically makes for a more flexible offering, eliminating dependence on Docker alone.

 

Security is Key

While security strategies for containerized applications are increasingly stronger, there are still organizations with much ground to cover.For that reason, some cloud providers have established security controls as a standard part of each and every cluster creation.

Dynamic policy configurations are crucial, and for that, RBAC comes into play. Role-based access control implementations are fully supported on all three major platforms. While having similar offerings, EKS has a significant advantage, with a tighter security hardening policy overall, and by incorporating RBAC requirements and pod security policies as mandatory. If you are interested in security best practices with EKS, join us for an upcoming webinar we are hosting with AWS experts by clicking the banner below:

 

New call-to-action

 

For additional reading about the critical role of RBAC policies in your Kubernetes configuration, check out this blog on RBAC Visualization, recently posted on dev.to, by Alcide’s CTO, Gadi Naor.


Unfortunately, Network Security policies remain a big challenge and are not enabled by default by any of the three major providers. Additionally they all offer a few minimal ways to enforce and monitor access to the cluster’s API endpoint, leaving it exposed and prone to vulnerabilities if you don’t take the necessary manual steps to protect your applications. You can read and dive into these issues even more deeply in our article Kubernetes Network Policies Best Practices.

 

Performance and Availability

SLA (service level agreement) is a powerful acronym in every industry and within the cloud community, it is no different. All cloud platform providers offer availability zones and regions for their managed Kubernetes services, enabling greater flexibility for distributing deployments.

For Kubernetes platforms, you should review Control Plane SLAs. Amazon EKS guarantees 99.95% uptime, AKS offers 99.95% when availability zones are enabled and 99.9% when disabled, and GKE splits its managed Kubernetes clusters, aiming for 99.5% uptime for Zonal deployments and 99.95% for regional deployments.

These numbers are essential when taking into account: potential outages, pods not getting rescheduled and any other potential resource management failures.

A great article posted on Medium covers the same topic and outlines performance metrics like cluster creation time and time necessary for provisioning an application. These two metrics put both AKS and GKE at the top as they are the fastest to spin up new clusters (within minutes!); even more surprising, GKE is significantly faster than its competitors with provisioning an application.

 

A Word on Pricing

What about pricing you ask? Here is where we recommend you take a deep dive into each provider’s offering and do the math. Each vendor has its own specific features, limitations and pricing plans. These specs should be reviewed meticulously in order to conduct proper research and ultimately, you should pick the one that suits your needs the most.

Microsoft AKS and IBM Cloud Kubernetes Service currently offer free plans for cluster management. You will be required to pay only for resources when in use, such as virtual machines (VM), storage, and so forth.

 

To wrap things up, there is indeed a whole lot more we haven’t covered here as each feature has many intricate details associated with it. We'll take these less-traveled roads in our future posts. In the meantime, dedicate time to choosing your destiny. Choose it wisely.

Sign up for a free account with Alcide to give our offering a try.

 

 

 

 

Topics: EKS, AWS, hybrid cloud, devsecops, cloud security, security services, containers, devops, Kubernetes security, aks, GKE

Subscribe to Email Updates