Case Study

Enabling CGI to manage Kubernetes securely across multiple clouds

Founded in 1976, CGI is among the largest IT and business consulting services firms in the world. CGI uses an insights-driven and outcome-based approach to help accelerate returns on IT and business investments.

CGI’s Emerging Technology Practice (ETP) is a global network that works with specialised partners to design custom solutions and provide end-to-end capabilities to help clients through their digital transformation journey while leveraging emerging technologies in a secure way.


Fast facts

  • Multi-cloud

    Enabled Kubernetes Cluster Management across GKE, AKS and EKS

  • Security

    Achieved CIS benchmark compliance

  • Overhead Reduction

    Reduced lead time of hosting applications in the cloud from 1 week to 1 hour

  • Cloud Native Efficiency

    Deployed hardened policies that don’t limit to one cloud.

Overview

CGI’s Emerging Technology Practice (ETP) had been developing a machine learning platform with monitoring and logging capabilities, called Lovelace, to simplify the deployment of machine learning workloads and enhance the overall developer experience for their customers.

The small internal team of Machine Learning Engineers was developing on an AWS EKS cluster created with self-managed AWS CloudFormation templates, which could not be used to provision other cloud-managed Kubernetes clusters (i.e. on Azure Kubernetes Service, AKS, or Google Kubernetes Engine, GKE).

This would be a huge limitation for their customers, and they needed a secure, scalable and cost-efficient solution to support the deployment of their platform and workloads across all major public cloud providers.

If they were to build this capability in-house, there would be a significant overhead in engineering and time to alter their current implementation to a multi-cloud deployment strategy - translating their CloudFormation templates which is cloud provider-specific service, across each major cloud provider, while also taking them away from other critical activities. As a trusted partner, CGI called on Appvia’s cloud-native expertise for support and guidance to provide a cost-effective and scalable solution.

Appvia Wayfinder reduced the lead time of deploying secure applications across multiple clouds from 1 week to 1 hour, and enabled developers to continue building applications, with the peace of mind that their Kubernetes clusters are well-managed and adhere to security best practices.

Wayfinder is straightforward to use, with an intuitive GUI that allows us to easily have a holistic view of the state of the clusters.
João Dinis
Lead Machine Learning Engineer, CGI

The challenge

Limitations to achieving secure, multi-cloud Kubernetes Management

The Lovelace machine learning platform extends on well-supported open sourced products that run as Kubernetes workloads in the cloud or on premise. It’s offered to CGI customers as a service where they provision, upgrade and maintain the underlying infrastructure, or it can be installed directly on the customer’s target environment.

The platform provides value to their customers with one caveat: It was developed on Amazon Web Services (AWS) and could only be provisioned on AWS EKS clusters.

High-level architecture of Lovelace

Achieving multi-cloud

Challenge: Risk of misconfiguration

If Kubernetes clusters aren’t managed in an ‘elegant’ way, it can lead to misconfiguration. Using cloud provider native tooling such as CloudFormation meant that there was no way of scaling infrastructure beyond AWS.

Solution: Automated cluster provisioning management
Wayfinder eliminates the investment of multi-cloud implementation by abstracting specific cloud provider options that are not transferable between providers. Clusters and namespaces can be self-served with automated best-practices and integrations that support on-demand auto-scaling.

Implementing best-practive security

Challenge: Leaving the environment open to vulnerabilities

If the Kubernetes version in the clusters is outdated, there’s a risk of leaving the environment open to vulnerabilities and attacks.

Solution: Automated policy administration and security hardening

Wayfinder automates the highest security standards across Kubernetes clusters, including least-privilege and time-based access. In meeting all of CGI’s security requirements and achieving benchmark compliance, nothing is left to human error.

In-cluster security controls are also in place to ensure that applications and workloads hosted within a Wayfinder cluster adhere to best practices via pre-defined pod security such as the restrictions of using privileged containers, and traffic flow controls to workloads using network policies.

Reducing operational overhead

Challenge: Installing and managing platform components leads to operational overhead

The Lovelace platform requires manual configuration and set-up for TLS and DNS, as well as open source tooling to operate. This can lead to an operational overhead as upgrades of such open source tooling would require constant evaluation to ensure that Lovelace is secured from potential vulnerabilities identified by the community. In addition to this, compatibility across TLS, DNS and
Ingress must also be observed.

Solution: Automated configuration of integral platform components

Wayfinder has the option to automatically provision open sourced application services alongside every Kubernetes cluster out of the box such as ExternalDNS, Cert-Manager and Nginx ingress controller, requiring zero operational overhead, creating a user-centric process where CGI can create resources that they need, as they need them.

The solution

Wayfinder provides CGI’s ETP with a consolidated and rich user interface that simplifies the creation and maintenance of secure Kubernetes clusters across GKE, AKS and EKS.

It was very productive, and interesting to see the decrease in amount of required effort to have Kubernetes clusters up and running in production-ready scenarios.
João Dinis
Lead Machine Learning Engineer, CGI

With Wayfinder obscuring the complexity of cluster management, CGI is enabled to host Lovelace effectively in the cloud in 1 hour instead of 1 week. Their team of engineers can remain focused on developing applications whilst adhering to security best practices with its built in policy administration and security hardening, with cluster management now being fast, secure and scalable.

Wayfinder enables CGI to overcome the day 2 concerns and challenges around application and platform operations.

  1. Centralised cluster management
  2. Policy administration / compliance requirements
  3. API events emission for onwards integration into a logging solution
  4. Exposed prometheus metrics for monitoring the health of the product
  5. Automated patches, updates and upgrades for Kubernetes, operating systems and networking protocols
  6. Application deployments at scale across multiple clusters with GitOps integration

More case studies