Appvia: Self-Service Kubernetes for Teams

When working with the UK Home Office back in 2016, the team behind Appvia learned a lot about how developers work, and what works for them — and what doesn’t.
That project involved building a large, multitenant Kubernetes cluster, supporting more than 700 developers working on 400 apps.
London-based Appvia grew out of the lessons learned from the 40 different projects in which the team was involved with the UK government agency that manages immigration and security. The resulting system focused on providing self-service provisioning to developers, making complex technology easy to use, while improving oversight for the organization.
A number of the team became maintainers for the open source Kubernetes orchestrator kops, patching security gaps that were critical to the Home Office.
“We’re very developer-centric. Even with the home office, [we were asking] how should a team work? How do they get the resources they need? … It’s just so time consuming and repetitive, and so we’ve built products around that space first,” said Appvia CEO Jonathan Shanks.
Then they went back to the drawing board to focus on how to commoditize Kubernetes and “start bridging the cloud resources, security and cost visibility to the team and start enhancing the business value back into the teams around cloud.”
The Appvia team has developed two open source technologies, Krane and the recently released Kore.
Krane is a Kubernetes static analysis tool that identifies potential security risks in Kubernetes role-based access control (RBAC) design and makes suggestions on how to mitigate them.
Kore is a platform that provides Kubernetes self-service to developers within a framework set by the ops team. It provides
- Cluster provisioning that’s secure and consistent across environments and teams.
- Account management with a single source for access and control across the organization.
- Plans and templates that allow administrators to define resources teams can consume. You can, for instance, set up default Kubernetes cluster plans that developer teams can consume without the need to run CI, code or scripts. It could be a single availability zone with cheap instance types, through to production plans with enhanced security settings across multiple availability zones for resilience and on-demand instances.
- Managed access controls provide a central means to manage and configure roles, policies and permissions to ensure developers are working securely and applications are meeting security requirements. These controls can enable teams to add and remove member access to their projects as needed.
- Auditability on user actions, cluster creation and access management.
It works on public clouds, on-premises and in hybrid and multicloud environments.
Providing consistency in configuration is especially important from a security perspective. Requiring each cluster to be configured manually is not only time-consuming but can lead to human error and resulting security and stability issues.
Appvia Kore reuses the Kubernetes framework and adds enhanced features. Each enhancement works under the operator framework. The operators are domain-specific features, such as team management or SSO configuration. The Kore API bridges services and manages the coordination of data into each operator. All the components run as Docker containers.
Its closest competitors, according to Shanks, are the likes of OpenShift and Rancher. Kore is production-ready and under rapid development to create features where it lags those rivals.
In a blog post, Shanks maintains that most technologies providing self-provisioning are complex, require a steep learning curve and aren’t particularly developer-friendly. And for the ops team, setting up something like a database in a secure environment for developers isn’t that simple either.
He argues that the complexity of Kubernetes isn’t necessarily solved by using managed Kubernetes.
“I think it’s a bit confusing in the industry because your assumption would be, ‘Well, if I’m using cloud-managed Kubernetes, we’re sorted. Yeah, that’s the problem solved.’ But actually, there’s lot of gaps in what [vendors] provide,” he said.
“A lot of the companies that do managed Kubernetes don’t understand how you’ve architected the cloud.”
Appvia starts early in the process, automating account setup with cloud providers. Shanks considers that a differentiator — helping users from the very beginning — and being cloud-focused, not just Kubernetes-focused.
An administrator can define account policy, say, that every team should have a non-production and a production account, then map the Kubernetes production plan, which basically puts best practices on top of the cloud provider, Shanks said.
“We kind of package it up. We call it a plan. And it basically just the production parameters, or best practice parameters to the building of Kubernetes in the cloud. … We’re kind of streamlining the cloud services around that team.” It then manages all access for that team to that Kubernetes cluster.
A couple of the objectives Shanks mentions in the blog post is making costs visible and making it easy for teams to manage and reduce costs. It’s a growing area of focus for companies like Harness.io and env0, not to mention a non-profit trade association called the FinOps Foundation, created to help organizations control their cloud costs.
Appvia employs open source projects like kubecost, into which you can push data into Prometheus, then display the cost visibility back.
Feature image: “SELF SERVICE | 180812-0040596-jikatu” by Jimmy Baikovicius. Licensed under CC BY-SA 2.0.
At this time, The New Stack does not allow comments directly on this website. We invite all readers who wish to discuss a story to visit us on Twitter or Facebook. We also welcome your news tips and feedback via email: feedback@thenewstack.io.