Enabling CGI to manage Kubernetes securely across multiple clouds
Founded in 1976, CGI is among the largest IT and business consulting services firms in the world. CGI uses an insights-driven and outcome-based approach to help accelerate returns on IT and business investments.
CGI’s Emerging Technology Practice (ETP) is a global network that works with specialised partners to design custom solutions and provide end-to-end capabilities to help clients through their digital transformation journey while leveraging emerging technologies in a secure way.
Enabled Kubernetes Cluster Management across GKE, AKS and EKS
Achieved CIS benchmark compliance
Reduced lead time of hosting applications in the cloud from 1 week to 1 hour
Cloud Native Efficiency
Deployed hardened policies that don’t limit to one cloud.
CGI’s Emerging Technology Practice (ETP) had been developing a machine learning platform with monitoring and logging capabilities, called Lovelace, to simplify the deployment of machine learning workloads and enhance the overall developer experience for their customers.
The small internal team of Machine Learning Engineers was developing on an AWS EKS cluster created with self-managed AWS CloudFormation templates, which could not be used to provision other cloud-managed Kubernetes clusters (i.e. on Azure Kubernetes Service, AKS, or Google Kubernetes Engine, GKE).
This would be a huge limitation for their customers, and they needed a secure, scalable and cost-efficient solution to support the deployment of their platform and workloads across all major public cloud providers.
If they were to build this capability in-house, there would be a significant overhead in engineering and time to alter their current implementation to a multi-cloud deployment strategy – translating their CloudFormation templates which is cloud provider-specific service, across each major cloud provider, while also taking them away from other critical activities. As a trusted partner, CGI called on Appvia’s cloud-native expertise for support and guidance to provide a cost-effective and scalable solution.
Appvia Wayfinder reduced the lead time of deploying secure applications across multiple clouds from 1 week to 1 hour, and enabled developers to continue building applications, with the peace of mind that their Kubernetes clusters are well-managed and adhere to security best practices.
“Wayfinder is straightforward to use, with an intuitive GUI that allows us to easily have a holistic view of the state of the clusters.”
Limitations to achieving secure, multi-cloud Kubernetes Management
The Lovelace machine learning platform extends on well-supported open sourced products that run as Kubernetes workloads in the cloud or on premise. It’s offered to CGI customers as a service where they provision, upgrade and maintain the underlying infrastructure, or it can be installed directly on the customer’s target environment.
The platform provides value to their customers with one caveat: It was developed on Amazon Web Services (AWS) and could only be provisioned on AWS EKS clusters.
Challenge: Risk of misconfiguration
If Kubernetes clusters aren’t managed in an ‘elegant’ way, it can lead to misconfiguration. Using cloud provider native tooling such as CloudFormation meant that there was no way of scaling infrastructure beyond AWS.
Solution: Automated cluster provisioning management Wayfinder eliminates the investment of multi-cloud implementation by abstracting specific cloud provider options that are not transferable between providers. Clusters and namespaces can be self-served with automated best-practices and integrations that support on-demand auto-scaling.
Implementing best-practive security
Challenge: Leaving the environment open to vulnerabilities
If the Kubernetes version in the clusters is outdated, there’s a risk of leaving the environment open to vulnerabilities and attacks.
Solution: Automated policy administration and security hardening
Wayfinder automates the highest security standards across Kubernetes clusters, including least-privilege and time-based access. In meeting all of CGI’s security requirements and achieving benchmark compliance, nothing is left to human error.
In-cluster security controls are also in place to ensure that applications and workloads hosted within a Wayfinder cluster adhere to best practices via pre-defined pod security such as the restrictions of using privileged containers, and traffic flow controls to workloads using network policies.
Reducing operational overhead
Challenge: Installing and managing platform components leads to operational overhead
The Lovelace platform requires manual configuration and set-up for TLS and DNS, as well as open source tooling to operate. This can lead to an operational overhead as upgrades of such open source tooling would require constant evaluation to ensure that Lovelace is secured from potential vulnerabilities identified by the community. In addition to this, compatibility across TLS, DNS and Ingress must also be observed.
Solution: Automated configuration of integral platform components
Wayfinder has the option to automatically provision open sourced application services alongside every Kubernetes cluster out of the box such as ExternalDNS, Cert-Manager and Nginx ingress controller, requiring zero operational overhead, creating a user-centric process where CGI can create resources that they need, as they need them.
“It was very productive, and interesting to see the decrease in the amount of effort required to have Kubernetes clusters up and running in production-ready scenarios.”
Wayfinder provides CGI’s ETP with a consolidated and rich user interface that simplifies the creation and maintenance of secure Kubernetes clusters across GKE, AKS and EKS.
With Wayfinder obscuring the complexity of cluster management, CGI is enabled to host Lovelace effectively in the cloud in 1 hour instead of 1 week. Their team of engineers can remain focused on developing applications whilst adhering to security best practices with its built in policy administration and security hardening, with cluster management now being fast, secure and scalable.
Wayfinder enables CGI to overcome the day 2 concerns and challenges around application and platform operations.
Centralised cluster management
Policy administration / compliance requirements
API events emission for onwards integration into a logging solution
Exposed prometheus metrics for monitoring the health of the product
Automated patches, updates and upgrades for Kubernetes, operating systems and networking protocols
Application deployments at scale across multiple clusters with GitOps integration