How the platform works
The GOV.UK Kubernetes platform is an AWS-hosted Kubernetes cluster, using Amazon’s Elastic Kubernetes Service (EKS).
For information on how Kubernetes works in general, see the:
- Kubernetes documentation
- Amazon EKS documentation
- Linux foundation’s free introduction to Kubernetes training certification
Specific to its implementation of Kubernetes, the GOV.UK Kubernetes platform cluster:
- uses add-ons to manage storage and secrets
- authenticates platform cluster users using an
aws-auth
ConfigMap
Platform cluster add-ons
The GOV.UK Kubernetes platform cluster uses the following add-ons in its implementation of Kubernetes:
- External secrets
- ExternalDNS
- AWS load balancer controller
- Cluster autoscaler
- Dex OpenID connect provider
- AWS EBS CSI driver
External secrets
- retrieves secrets from AWS Secrets Manager
- makes those secrets available to GOV.UK applications as standard Kubernetes Secret objects
For more information, see the External secrets documentation.
ExternalDNS
The ExternalDNS add-on creates and manages Domain Name System (DNS) records in AWS Route 53 for exposed (publicly discoverable) Kubernetes services in AWS Route 53.
For more information, see the External DNS documentation.
AWS load balancer controller
The AWS load balancer controller add-on creates and manages AWS load balancers, based on Kubernetes Ingress objects in the cluster.
For more information, see the AWS load balancer controller documentation.
Cluster autoscaler
The Cluster autoscaler add-on automatically adjusts the size of the Kubernetes cluster by:
- adding worker nodes to the cluster when the cluster is running low on capacity, so that Kubernetes can schedule all of the requested pods.
- removing worker nodes when the cluster has spare capacity
The add-on adjusts cluster size by controlling the AWS EC2 auto scaling group for the managed node group.
For more information, see the Cluster autoscaler documentation.
Dex OpenID connect provider
The Dex OpenID connect provider is a federated identity provider.
The GOV.UK Kubernetes platform cluster uses Dex to manage single sign-on to services in the cluster, for example, Grafana dashboards and Argo CD.
Dex acts as an intermediary between apps that are restricted to authorised users, and apps that know how to verify a user’s identity.
For more information, see the Dex OpenID connect provider documentation.
AWS EBS CSI Driver
The AWS Elastic Block Store (EBS) Container Storage Interface (CSI) driver allows Amazon EKS clusters to manage the lifecycle of Amazon EBS volumes for persistent volumes.
For more information, see the Amazon EBS CSI driver documentation.
Platform cluster user authentication
To authenticate users, the GOV.UK Kubernetes platform cluster uses an aws-auth
ConfigMap in the kube-system
namespace.
The ConfigMap maps a user’s AWS Identity Access Management (IAM) role to the equivalent role in the Kubernetes role-based access control system.
The list of authenticated users for the platform’s different environments is located in the govuk-aws-data/data/infra-security/
GitHub repo on alphagov.
To make changes to this list, you must be in the GOV.UK team on alphagov.
For more information, see the AWS documentation on enabling IAM user and role access to your cluster.