Managed Kubernetes Shared Responsibility Model on Creodias
Managed Kubernetes service on Creodias enables users to deploy ready-to-use, production-grade Kubernetes clusters. A key benefit of Managed Kubernetes is having Creodias manage the lifecycle of the Kubernetes platform, including cluster provisioning and ongoing maintenance of platform components. To ensure the service operates smoothly, users should apply a set of recommended practices in their day-to-day cluster operations.
The following principles outline the shared responsibility model between Creodias and users when operating Managed Kubernetes clusters:
Service boundary
Creodias owns the availability, maintenance and security of the underlying infrastructure, Kubernetes control plane, node pools, and default add-ons.
Adherence to Kubernetes best practices
Creodias ensures the principles of best Kubernetes practices are followed on the platform layer. Users are responsible for the workloads they run (e.g. pods, deployments, jobs), the data they place on the cluster and the configuration of higher-level services (network policies, RBAC, secrets, etc.).
Sufficient Cluster Specification
Creodias provides a choice of Control Plane and Node Pools flavors. User is responsible for selecting the specification that is sufficient to manage their workloads throughout the cluster’s lifecycle.
Security by design
Creodias protects the infrastructure and the Managed Kubernetes service, while users must secure their applications, their data and identity management layer.
Controlled customization
On top of the pure Kubernetes installation, the Managed Kubernetes platform supplies additional components (add-ons) for simplifying users’ ongoing cluster operation. The add-ons are provided with opinionated configuration defaults and certain customizations on user side might be overwritten by the Managed Kubernetes service. User is responsible in case misconfigurations initiated on their end impact their applications.
Lifecycle management
Creodias ensures availability of new Kubernetes versions and upgrades/patches of components on the provisioning layer. For each release, Creodias will also share the expected impact and any recommended user actions.
Before upgrading a cluster, users should verify that their application deployments are compatible with the target Kubernetes version. Once compatibility is confirmed, users can initiate the upgrade using the Managed Kubernetes interface.
Cluster Backups
Users are responsible for defining and maintaining a coherent backup policy in line with the documentation, and for validating that the restore process works as expected. For critical data, we strongly recommend using an additional, independent backup mechanism as a fallback.
As a convenience feature, Creodias provides a third-party Kubernetes plugin Velero to back up Managed Kubernetes clusters, along with the documentation how to use it. Velero can
backup cluster state, including persistent volumes, and
store backups in an S3 location within the same cloud region as the protected cluster.
Creodias is not responsible for Velero plugin malfunctions or issues caused by misconfiguration during backup or restore.