The Office of Information Technology now offers a Container Platform, based on Red Hat OpenShift, an enterprise distribution of Kubernetes with many useful extensions. It provides a full-featured web interface, similar to cloud-hosted Kubernetes, but with the ability to run applications on-premises.
See the dedicated Container Platform Documentation for in-depth information. Note that this requires logging in to CU Boulder’s GitHub Enterprise instance.
How to get it
This platform is provided with a strong focus on self-service, meaning that OIT provides customers with an empty Kubernetes namespace. Within this namespace application owners are responsible for management of their workloads. Compared to other methods of hosting, this empowers application owners to iterate quickly, but comes with greater responsibilities.
In order to get started with OIT’s Container Platform,
- Join the UCBoulder GitHub Organization
- Review the Container Platform Documentation
- Request one or more Namespaces
- Participate in the ITCP/Container Platform Users channel in Teams (we’ll make sure you have access when you request a namespace)
Who can get it
CU Boulder faculty, staff, or affiliates that develop or administer applications in service to the business, education, or research interests of the University.
There is currently no charge to use this service, however, in the future there is likely to be a monthly fee based on CPU, memory, and storage consumption.
This is the current status of the platform, including features we have enabled and those that are in progress. If you wish to provide feedback on our roadmap, desired features, barriers to using the platform, or anything else, please fill out this questionnaire. If you have any questions, please open a support case with Platform Engineering by emailing firstname.lastname@example.org.
|Feature||Implemented||Evolving||Short-Term Plan||Long-Term Plan||Notes|
|Production cluster with 24x7 support from Platform Engineering||X||Backed by OIT's private cloud infrastructure (VMware). Currently supporting production applications for Platform Engineering, several OIT teams, and campus departments.|
|In-depth Container Platform Documentation (https://docs-containers.colorado.edu)||X||Sections for getting started, how-to guides, understanding the service, and referencing API specs. Includes guides for leveraging GitHub Enterprise for managing deployments, customizing HTTP(s) routing, and managing resources.|
|Container Platform Users channel in Teams||X||Place for questions, knowledge sharing, and notifications about the service (like weekly upgrades). Sits within the ITCP team. Link to channel.|
|Customer Alerting Rules and Notifications||X||Create alerting rules based on down Pods or other criteria. Self-manage alert destination. Docs: https://docs-containers.colorado.edu/how_to/monitor_apps/alert_routing/|
|User workload monitoring for applications running on OpenShift that expose Prometheus metrics||X||Instrumented applications that expose Prometheus compatible metrics can leverage next generation observability tools provided with OpenShift. Docs: https://docs-containers.colorado.edu/how_to/monitor_apps/monitoring_user_defined_projects/|
|Continuous improvement of the platform with Infrastructure as Code||X|
|Built-in Image Registry||X||Allows customer image builds to be performed locally in the cluster.|
|Default StorageClass for Persistent Volume Claims||X||Ability for customers to easily add disk volumes to workloads. Docs: https://docs-containers.colorado.edu/reference/storage/|
|Backups of etcd (the cluster's key-value store)||X||Encrypted and stored outside the cluster|
|Weekly Cluster Upgrades||X||Provides stability, bug fixes, and security.|
|Backend Observability with Grafana||X||Dashboards and alerting to support day to day cluster administration and detect problems proactively.|
|Customer-facing Backups||X||Ability to enable backups of customer pod volumes (filesystems). Ability to restore entire volumes or individual files/directories. Backups are stored externally from the cluster.|
|HTTP(s) Ingress Controller||X||Customers can expose applications to the campus network or public internet, easily create custom service names (URLs), and support HTTPS traffic. Docs: https://docs-containers.colorado.edu/understand/http_routing/ https://docs-containers.colorado.edu/how_to/custom_domain/|
|Egress IP Addresses||X||Ability to assign dedicated egress (outbound) IP addresses to namespaces. This helps customers manage firewall rules for external connections initiated by workloads. Docs: https://docs-containers.colorado.edu/reference/egress_ip/|
|Delegated access management||X||Customers can manage their own access with Grouper groups. Changes are synced automatically.|
|Local GitHub Actions runners||X||Support for self-hosting GitHub Actions runners within the platform. Docs: https://docs-containers.colorado.edu/how_to/build_pipelines/use_gh_runner/|
|Advanced Cluster Security||X||Full featured Kubernetes security monitoring including ability to automatically notify customers of vulnerabilities in container images. Docs: https://docs-containers.colorado.edu/how_to/secure_apps/|
|Custom Prometheus for metrics collection||X||This is an evolving feature and available to current OIT Nagios users who would like to begin evaluation of next generation observability. Contact Platform Engineering to learn more or ask questions.|
|NIST 800-171 Security Compliance||X||Necessary to host workloads with a Highly Confidential data classification. We expect approval sometime in spring 2023.|
|Custom GitHub VPN||X||Ability to connect directly to the cluster with GitHub-hosted Actions runners using a custom VPN.|
|Custom Grafana deployments with IdentiKey authentication||X||This is an evolving feature and will be available to projects using OpenShift User Workload Monitoring to create custom dashboards.|
|Second Site||X||Support redundancy across multiple datacenters.|
|OpenShift on Bare Metal||X||Support larger individual Pods, low-cost scaling of the overall cluster, and potentially more flexibility with storage.|
|Ingress IP Addresses||X||Support for applications that need to support non-HTTP(s) traffic from outside the cluster (e.g. databases, chat servers, etc.)|
|Automated TLS certificates||X||Leverage Kubernetes certificate management capabilities and the Sectigo API for automatic certificate provisioning and renewal.|
|Public Cloud||X||Expand service with a footprint in the public cloud.|