EKS vs GKE vs AKS – August 2020 Update
In February, we published an article providing a side-by-side comparison of the managed Kubernetes offerings from the three largest cloud providers: Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service (AKS), and Google Kubernetes Engine (GKE). The Kubernetes ecosystem changes rapidly, as do the feature sets of these managed platforms. This post covers important updates to these services made since our original comparison and our April, May, June, and July updates.
Kubernetes Version Support Matrix
| Version | AKS | EKS | GKE | Kubernetes |
|---|---|---|---|---|
| 1.18 | preview | preview | X | |
| 1.17 | X | X | Rapid Channel | X |
| 1.16 | default | default | Regular Channel | X |
| 1.15 | X | X | default | |
| 1.14 | deprecated | X | X |
Azure Kubernetes Service
Kubernetes Version Changes
Kubernetes 1.17 support is now generally available (GA) for AKS clusters. Support for new Kubernetes 1.14 clusters has been removed. Kubernetes 1.16 is the default version for new AKS clusters.
Load Balancer Enhancements (GA)
Inbound and outbound IPs can now be re-used (a user can assign an outbound IP that is the same as an inbound IP) in the AKS Standard Load Balancer (SLB).
Gartner Report: Best Practices for Running Containers and Kubernetes in Production
Learn about the challenges and best practices when building and running containerized workloads in production
containerd Support (Preview)
AKS now allows users to select containerd as the container runtime. AKS plans to eventually make containerd the default runtime in the upcoming months. More details are provided [here] (https://docs.microsoft.com/en-us/azure/aks/cluster-configuration#container-runtime-configuration-preview).
Azure RBAC Integration for Kubernetes Authorization (Preview)
Azure has released Azure RBAC integration for Kubernetes Authorization in preview. This enables unified management and access control across Azure and Kubernetes resources. Kubernetes cluster RBAC can now be administered from the Azure Portal. Learn more [here] (https://docs.microsoft.com/en-us/azure/aks/manage-azure-rbac).
Secure Pods with Azure Policy for AKS (Preview)
By using the Azure Policy Add-on for AKS, an AKS cluster can use built-in Azure policies to secure and enforce conditions on Kubernetes resources, including pods, similar to how [pod security policies] (https://kubernetes.io/docs/concepts/policy/pod-security-policy/) work. Policies can be applied to management groups, subscriptions, or resource groups. This feature is built on an integration with Gatekeeper and leverages the open-source [Open Policy Agent] (https://www.openpolicyagent.org/). Read more [here] (https://docs.microsoft.com/en-us/azure/aks/use-pod-security-on-azure-policy).
AKS Support for Ultra Disks (Preview)
AKS adds preview support for ultra disks: high-throughput, high-IOPS, low-latency disk storage for stateful Kubernetes workloads, especially those that are data-intensive. More details are [here] (https://docs.microsoft.com/en-us/azure/aks/use-ultra-disks).
Proximity Placement Groups (Preview)
This feature allows AKS users to specify logical groupings of cluster worker nodes to reduce network latency. See [here] (https://docs.microsoft.com/en-us/azure/aks/manage-azure-rbac) to learn more.
Amazon Elastic Kubernetes Service
Kubernetes 1.17 Support
EKS clusters now support Kubernetes version 1.17. Users can select 1.17 as the version to use when provisioning new clusters.
Google Kubernetes Engine
Kubernetes Version Changes
Kubernetes version 1.15 is now the default version for new GKE clusters. Version 1.14 is no longer supported for new clusters and will be deprecated in an upcoming release.
NodeLocal DNSCache Now Generally Available
NodeLocal DNSCache, an optional GKE add-on that improves latency of DNS lookups, and reduces the number of DNS queries to kube-dns, is now in GA. See more details [here] (https://cloud.google.com/kubernetes-engine/docs/how-to/nodelocal-dns-cache).
Customer Managed Encryption Keys for GKE in General Availability
Customer managed encryption keys (CMEK) allow you to secure GKE node boot disks and attached persistent storage by encrypting the data encryption keys that are used to encrypt your data. Support for CMEK is generally available. Read more [here] (https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek)
Networking Enhancements for Certain GKE Versions (GA)
The BackendConfig CRD now GA for certain GKE clusters – this change promotes several features such as IAP, timeouts, affinity, user-defined request headers, and others to GA for GKE clusters running versions 1.16-gke.3 or later. Specific details are available [here] (https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features). Container-native Ingress using Network Endpoint Groups (NEGs) is also now mostly default for new Services in clusters running versions 1.17.6-gke.7+ or later.
Networking Enhancements (Beta)
[Shared IP] (https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#shared_VIP) is now in beta for all GKE clusters This allows for multi-protocol TCP and UDP support for the same Service IP. SSL Policies are also now available in beta for external Ingress and multi-cluster Ingress and allow policy enforcement on TLS and cipher settings.Node System Configuration (Beta)
GKE Node System Configuration enables users to specify custom Kubelet and kernel configurations on node pools and is now in beta. Learn more [here] (https://cloud.google.com/sdk/gcloud/reference/beta/container/node-pools/create#–system-config-from-file).
*** This is a Security Bloggers Network syndicated blog from The Container Security Blog on StackRox authored by The Container Security Blog on StackRox. Read the original post at: https://www.stackrox.com/post/2020/08/eks-vs-gke-vs-aks-august-2020-updates/
