Warning This document has not been updated for a while now. It may be out of date.

Last updated: 25 Aug 2023

How the platform works

The GOV.UK Kubernetes platform is an AWS-hosted Kubernetes cluster, using Amazon’s Elastic Kubernetes Service (EKS).

For information on how Kubernetes works in general, see the:

• Kubernetes documentation
• Amazon EKS documentation
• Linux foundation’s free introduction to Kubernetes training certification

Specific to its implementation of Kubernetes, the GOV.UK Kubernetes platform cluster:

• uses add-ons to manage storage and secrets
• authenticates platform cluster users using an aws-auth ConfigMap

Platform cluster add-ons

The GOV.UK Kubernetes platform cluster uses the following add-ons in its implementation of Kubernetes:

• External secrets
• ExternalDNS
• AWS load balancer controller
• Cluster autoscaler
• Dex OpenID connect provider
• AWS EBS CSI driver

External secrets

The External-secrets add-on:

• retrieves secrets from AWS Secrets Manager
• makes those secrets available to GOV.UK applications as standard Kubernetes Secret objects

For more information, see the External secrets documentation.

ExternalDNS

The ExternalDNS add-on creates and manages Domain Name System (DNS) records in AWS Route 53 for exposed (publicly discoverable) Kubernetes services in AWS Route 53.

For more information, see the External DNS documentation.

AWS load balancer controller

The AWS load balancer controller add-on creates and manages AWS load balancers, based on Kubernetes Ingress objects in the cluster.

For more information, see the AWS load balancer controller documentation.

Cluster autoscaler

The Cluster autoscaler add-on automatically adjusts the size of the Kubernetes cluster by:

• adding worker nodes to the cluster when the cluster is running low on capacity, so that Kubernetes can schedule all of the requested pods.
• removing worker nodes when the cluster has spare capacity

The add-on adjusts cluster size by controlling the AWS EC2 auto scaling group for the managed node group.

For more information, see the Cluster autoscaler documentation.

Dex OpenID connect provider

The Dex OpenID connect provider is a federated identity provider.

The GOV.UK Kubernetes platform cluster uses Dex to manage single sign-on to services in the cluster, for example, Grafana dashboards and Argo CD.

Dex acts as an intermediary between apps that are restricted to authorised users, and apps that know how to verify a user’s identity.

For more information, see the Dex OpenID connect provider documentation.

AWS EBS CSI Driver

The AWS Elastic Block Store (EBS) Container Storage Interface (CSI) driver allows Amazon EKS clusters to manage the lifecycle of Amazon EBS volumes for persistent volumes.

For more information, see the Amazon EBS CSI driver documentation.

Platform cluster user authentication

To authenticate users, the GOV.UK Kubernetes platform cluster uses an aws-auth ConfigMap in the kube-system namespace.

The ConfigMap maps a user’s AWS Identity Access Management (IAM) role to the equivalent role in the Kubernetes role-based access control system.

The list of authenticated users for the platform’s different environments is located in the govuk-aws-data/data/infra-security/ GitHub repo on alphagov.

To make changes to this list, you must be in the GOV.UK team on alphagov.

For more information, see the AWS documentation on enabling IAM user and role access to your cluster.