Options for Running Rancher on AWS

AWS is a leading cloud provider and has many shared customers with SUSE. Understanding how Rancher can be leveraged on AWS is a common question asked by our mutual customers as well as new customers just beginning their cloud and container journey. Like all SUSE solutions, Rancher is fully open-sourced and available to use for free (as in beer) as well as SUSE supported options. Let’s first dive into “Why Rancher?”.

Why Rancher?

Rancher manages Kubernetes clusters across different environments, including on-premises, cloud, and edge. It provides DevOps teams with tools for running containerized workloads and addresses the security and operational challenges of managing multiple Kubernetes clusters such as EKS, AKS, GKE, RKE, RKE2 and every Kubernetes compliant distro.

Rancher adds significant value on top of Kubernetes, first by centralizing authentication and role-based access control (RBAC) for all of the clusters, giving global admins the ability to control cluster access from one location.

Rancher is a complete container management platform for Kubernetes, giving you the tools to successfully run Kubernetes anywhere. 

You are probably saying, “Ok, great! I’m sold on Rancher, but what does running it on AWS look like?”. To answer that question, let’s look at the shared responsibility model for community Rancher on AWS (see figure 1).

Figure 1

As you can see, a company running community Rancher in AWS is responsible for Rancher support, including the Rancher binary. The responsibility of cluster upgrades and security, both critical components of managing a Kubernetes environment also are up to the customer. As well as maintaining a secure image repository. These responsibilities are not only resource and time intensive, but dependent on talent with the skill sets required to implement and support. 

You may now be saying, “Yikes! That’s a lot to take on. How does community Rancher differ from Rancher Prime and what is the Rancher Prime shared responsibility model for running on AWS?”. Great question and glad you asked.

Rancher Prime vs Community Rancher, What’s the Difference?

While the Rancher community is global, robust and active, it is still challenging and risky for enterprise companies to rely solely on upstream resources to support their development and runtime environments. That’s where the value of paid support for any open source project comes into play. 

First, let’s take a look at the shared responsibility model for Rancher Prime on AWS [see figure 2].

Figure 2

Security and Support

With Rancher Prime, you can have 24×7 enterprise-level support as part of a subscription. This is especially important when you are planning upgrades to your environment. We will proactively have support engineers ready for you, should you need. I mentioned the Rancher binary is the responsibility of the customer to build and or download with community Rancher. This process could make your environment susceptible to CVEs or other attacks. Rancher Prime adds additional security to your environment by adhering to the SLSA compliance standard and provides a Software Bill of Materials (SBOM), so you know exactly what went into the build of your Rancher environment. This is helpful for satisfying the requirements of your security team, especially in government agencies. 

Rancher Prime also includes integration and support for Kubewarden. Kubewarden is a policy engine that helps ensure deployments adhere to company security standards and other deployment guidelines such as resource allocation limits. Kubewarden serves as an Admission Controller for images to prevent configuration errors that don’t meet a company’s policies. There are many policies available out of the box, but Kubewarden also allows you to create your own custom policies using their SDK.

NeuVector Prime extends Kubewarden for a full lifecycle container security solution covering the entire landscape from development to runtime. Patented technology allows for deep packet inspection (DPI) for Kubernetes allowing NeuVector to learn application traffic (Layer 7) and automatically create policies to allow that traffic. Once in production, NeuVector enables behavior-based zero trust security by denying traffic outside of the learned and accepted policies. This is especially important to prevent day zero attacks or other unknown CVEs. The NeuVector Prime UI is integrated as part of Rancher Prime.

The Developer Experience

While security is top of mind for all companies, the developer experience is equally important. Rancher Prime adds two additional features to help securely improve the workflow for developers. A secure and trusted image repository hosted by SUSE and our Rancher Prime Application Collection.

OCI Trusted Private Image Repository

The Rancher Prime subscription optionally allows customers to download Rancher images from an OCI trusted, private registry that is owned and managed by SUSE. You can continue to use your own image repository, if you prefer.

Rancher Prime Application Collection

The Rancher Prime Application Collection (AppCo) is a SUSE curated collection of hardened images of key cloud-native applications complete with signatures and SBOMs. Just like Rancher, AppCo is SLSA compliant. This allows customers to quickly deploy images across their Kubernetes clusters for use in the applications without having to worry about pulling in known CVEs or other vulnerabilities.

Other benefits of Rancher Prime

Upgrade validation – Rancher Prime subscribers can request up to two upgrade path validation checks along with standby support in case there are any issues during the upgrade.

Supportability Review – Take the guesswork out whether your configuration and technology stack are supported by SUSE. Our support team will work with you to validate that your environment is valid and supportable as part of your subscription.

Private Slack Channel – Engage directly with our customer success and support teams via a private Slack channel. This is in addition to your ability to create support cases and access to our extensive knowledge base. The private channel allows you to ask general questions as well as stay informed on customer advisories related to product, operations and security.

Now that we have detailed the benefits of Rancher Prime vs community Rancher, let’s address another commonly asked question we get from customers. “We don’t have the bandwidth or resources to manage our Rancher clusters on AWS. Do you have a SaaS offering?”. Let me introduce you to Hosted Rancher Prime.

Hosted Rancher Prime

Hosted Rancher Prime is our SUSE managed offering on AWS. It allows customers to focus on their business and applications instead of infrastructure and upgrades. Let’s have a look at the shared responsibility model for Hosted Rancher Prime on AWS [see figure 3].

Figure 3

Hosted Rancher Prime on AWS offers everything Rancher Prime does but includes two key differentiators. 

1. Cluster Upgrades of your Rancher environment are handled by SUSE – Easily stay on the most up to date Rancher versions without tasking your infrastructure team while minimizing downtime at the same time.
2. 99.9% Service Level Agreement (SLA) – We also have SUSE site reliability engineers proactively monitoring your environment. Because we maintain the upgrades and monitor your environment, we are able to guarantee 99.9% uptime.

For more information on Hosted Rancher Prime, check out our FAQ page.

In Summary

Hopefully, this helps to understand what your options are for running Rancher on AWS and the importance of having a secure and supported solution with Rancher Prime. For quick reference of feature availability across all three options, please see the chart below.  Thanks for reading!