Introduction to Contain Base¶
The Contain Base service is our fully managed, secure, and production-ready Kubernetes distribution. It serves as the central orchestration and compute engine for your containerized applications and is the foundational layer upon which all other platform services are built.
This service is designed and operated according to the principles of the Contain Platform. For a detailed overview of the platform's architecture, core principles, and operational model, please see the Introduction to the Contain Platform.
Technical Introduction¶
The Contain Base service is a curated, "batteries-included" Kubernetes distribution. It extends the foundational capabilities of upstream Kubernetes with a set of best-in-class, open-source components that are pre-integrated and hardened by our team.
At its heart, it's a conformant Kubernetes cluster that provides standardized interfaces for networking (CNI) and storage (CSI), with deep integration into the underlying cloud or on-premise infrastructure (CPI). On top of this base, we layer a complete, managed toolkit for security, automation, and operations.
Included Services¶
The Contain Base service comes with the following services built-in, providing a complete and ready-to-use environment out-of-the-box.
| Service | Components | Comment |
|---|---|---|
| Kubernetes | RKE2, Talos, AKS, EKS, GKE | Depends on the infrastructure provider |
| Backup | Velero | |
| Application Scaling | metrics-server | |
| Certificates | cert-manager | |
| DNS | external-dns | |
| GitOps Deployment | gotk (flux) | |
| Ingress Service Proxy | contour | |
| Namespace Management | namespace-operator | |
| Secrets Management | external-secrets |
Mandatory Services¶
Apart from the included services, for most of our offerings we mandate the installation of opentelemetry and prometheus.
SMI (Service Mesh)¶
We also provide a Service Mesh Service based on Istio.
Core Service Features¶
The Contain Base service comes with a wide range of capabilities, delivered by our integrated set of core components.
Automated Security & Governance¶
- Policy as Code: Enforce custom, organization-wide rules on all cluster resources using Gatekeeper. We provide a set of pre-built policies for common security best practices.
- Automated TLS Certificates: Cert-manager automatically provisions, manages, and renews TLS certificates for your applications, enabling HTTPS by default.
- Secure Secret Management: Securely sync secrets from your external secret stores (like HashiCorp Vault/OpenBao or Azure Key Vault) into the cluster with External Secrets.
- Secure by Default Networking: A default set of Network Policies is enforced to block all cross-namespace traffic unless explicitly allowed, enforcing a default-deny security model.
- Continuous Security & Inventory: A lightweight management agent handles internal image scanning and collects a real-time inventory of cluster workloads.
Secure & Automated Networking¶
- Advanced Ingress & Traffic Management: Contour provides a high-performance Ingress controller for managing external access to your services with features like traffic shifting and load balancing.
- Automated DNS: ExternalDNS automatically creates and manages public DNS records for your services, integrating directly with your cloud DNS providers.
GitOps & Continuous Delivery¶
- Declarative GitOps: Flux serves as the backbone of the platform. It continuously reconciles the cluster's state with your configuration stored in Git, automating deployments and infrastructure management.
- Automated Namespace Provisioning: Our Namespace Operator automates the creation of new namespaces, applying default security policies, roles, and resource quotas to ensure consistency.
Operations & Resilience¶
- Disaster Recovery: Velero provides robust backup and restore capabilities for your cluster resources and persistent volumes, ensuring business continuity.
- Basic Resource Monitoring: Metrics Server provides essential CPU and memory consumption data, enabling workload autoscaling (HPA) and resource planning.
- Workload Prioritization: Pre-defined Priority Classes ensure that critical system and application pods get the resources they need, even on a busy cluster.
Integration & Extensibility¶
The Contain Base service is the foundational compute layer, designed to integrate perfectly with the rest of our managed service portfolio.
Integration with Platform Services¶
Your applications running on the Contain Base service can seamlessly and securely use our other managed services. It is the ideal engine for applications that consume services such as:
- Managed Databases (DBaaS)
- Object Storage (S3-compatible)
- Managed Message Queues
For a complete list of services, see the Services section.
Core Platform Services¶
Integrating with other services, you can also enhance the Contain Base service itself with our managed services.
The most common addition is our Application Observability Service, which provides a complete telemetry solution (metrics, logs, and traces) and works in conjunction with the Observability Plane. Other available add-ons include an advanced service mesh, CI/CD tooling, and more.