Stacklet has released its signature product this week with the launch of Stacklet Platform, which the company said is an “industry-first cloud governance as code platform,” in a statement.
Stacklet Platform is based on the open source Cloud Custodian, which became a Cloud Native Computing Foundation (CNCF) sandbox level project last summer, and extends it with a number of features, including management, real-time cloud asset visibility, and out-of-the-box policy packs to help enterprises get started quickly.
“The key value props for Stacklet Platform are to take this proven model that exists in the open source, but is experienced through a DIY, and produce a managed distribution that allows customers to scale it very rapidly,” said Stacklet co-founder and CEO Travis Stanfield. “They can now run it in hundreds, thousands, of cloud accounts with very complex hierarchical policies that in some cases we give out of the box, in some cases they author and tailor to their own needs.”
Governance as code is a relatively new entrant to the field of “as code” approaches out there, all of which give organizations an approach wherein configuration is stored as code in a Git repository, which then acts as a central source of truth. As changes are made and committed to the repository, those changes are then instituted. With infrastructure as code, these changes are made to the infrastructure, while with governance as code, the changes are applied to a configuration in a number of areas.
With Stacklet Platform, as with its open source Cloud Custodian counterpart, organizations define their governance using a YAML domain-specific language (DSL), and Stanfield says that Stacklet defines governance as code according to a few specific realms: security posture, cloud cost, governmental regulatory compliance, and “classic but painful cloud actions such as tagging, centralized logging and backups,” the company said.
“Our YAML DSL is very fit-to-purpose for cloud resources. It is very human-readable and isn’t as verbose as, say, the lengthy YAML commonly associated with Kubernetes,” Stanfield wrote in an email. “One of the alternatives we’ve seen from enterprise companies is to create ad-hoc admin scripts that query the cloud APIs. These ad-hoc scripts are more difficult to both build and maintain, so using our YAML DSL improves developer productivity.”
Some specific examples of where Stacklet Platform’s governance as code approach applies are compliance frameworks like NIST, CSF, PCI-DSS, HIPAA, and CIS Benchmarks, but also in the real-time enforcement of security policies, controlling cost through right-sizing, garbage collection, and de-provisioning of unneeded cloud resources, and through the aforementioned tagging, logging, and backups. The changes themselves are instituted via serverless platforms on the three major supported cloud providers said Stacklet CTO and co-founder Kapil Thangavelu. Thangavelu also happens to be one of the original developers behind Cloud Custodian.
“It’s directly integrated with the three major cloud platform serverless infrastructures, and it’s doing that so that it’s able to evaluate and audit events, API calls, in real-time on their respective platforms,” he said. “So it’s integrated with AWS Lambda, Google Cloud Functions, Azure Functions directly and it uses those as a baseline capability to evaluate across hundreds of resources. It uses that as an integration point to provide that real-time, operationally simple event-based evaluation, but it’s doing that across the entire fleet of resources that are in a particular cloud provider, across hundreds of things from IoT to remote desktops to machine learning to databases.”
In addition to this, one of the ways that Stacklet Platform extends Cloud Custodian is by offering these out of the box policy packs, which Stanfield said: “allow you to jumpstart with best practices that we at Stacklet can say we tested, we stand behind, we know that these will help you accelerate.”
Thangavelu said the policy packs have “rich metadata associated with them” as far as resource types and other characteristics, and during installation “there’s automatic discovery of their accounts within their cloud infrastructure that they can then map to, as collections of accounts to policies, that they want to enforce in those environments.”
While Stacklet Platform is referred to as a cloud platform, it is currently installed via a Docker container and runs on-premise as a private instance, with a guided setup that gets it up and running on the organizations’ various cloud accounts. Currently, pricing is not public, and Kubernetes is supported in so much as Cloud Custodian itself offers support.
“Stacklet’s primary mission is to help customers be well managed in the cloud. This is across all assets in the cloud. Kubernetes represents a portion of cloud usage for the enterprise and so — yes — customers who use Kubernetes will absolutely get a lot of value from Stacklet,” wrote Stanfield. “The open-source project (Cloud Custodian) has support for Kubernetes. Stacklet is focused on customer infrastructure needs of which Kubernetes plays a part but hasn’t been the strongest or most specific request at the moment. Stacklet will continue to offer richer Kubernetes functionality over time in line with what we hear from customers.”