Kraud is a Platform as a Service (PaaS) with a broad set of features and compatibility layers.
|Managed Containers||90%||N+2 in 1 Zone||microvm+vpc||Usable|
|Managed Kubernetes||no||N+2 1 Zone||microvm+vpc||Experimental|
|Managed Apps||no||N+2 1 Zone||microvm+vpc||Experimental|
|Confidential Compute||no||1 Node (1)||AMD SEV-SNP||Experimental|
|Managed Ingress||no||2N+1 in 2 Zones||isolated machine||Usable|
|Authenticated Ingress||no||2N+1 in 2 Zones||isolated machine||Experimental|
|Direct Ingress||no||1 Rack (2)||exposed (3)||Experimental|
|Ephemeral NVME||no||0 (4)||ephemeral encryption||Usable|
|LV2 Volumes||no||3N in 1 Zone||isolated machine||Usable|
|NFS Volumes||99%||1+1 in 1+1 Zone||isolated machine||Experimental|
|LV Volumes||no||2N on 1 Host (6)||LVM||Usable|
- Hardware with AMD SEV-SNP is has very limited availability and pods will likely not be rescheduled on failure.
- Direct Ingresses are bound to a single zone. Applications using raw internet facing IP addresses must engineer their own load balancing strategy.
- Direct exposure to the internet without a fronting kraud ingress requires a carefully setup firewall inside the vm
- Local node storage is very fast but ephemeral. It is cleared on container shutdown, restart, reschedule, etc.
- Redundancy reduced volumes are intended for archival and large data pools. Loss is unlikely due to double-replication, but customer are adviced to only store data that can be reconstructed by other means.
- LV are local nvmes on a vm host that are not replicated outside of the chassis, intended for legacy applications. Customers are advised to build their own backup plan.
|Zone||Datacenter Operator||ISO 27001||Renewable Energy|
|UCA (default)||3U Telecom||yes||100%|
|YCA||Hetzner Online GmbH||yes||100%|
Tenant resources are isolated from other tenants using microvms
All Volumes are encrypted at rest and protected against physical theft.
Customers with extremly sensitive data may additionally want encryption at use
Traffic within customer VPC networks is encrypted with wireguard even within the same physical rack, to protect against sideband attacks and network intrusion.
All external traffic arriving at a managed ingress is load balanced, authentication and filtered before entering a VPC. Customers who prefer raw ingresses will have to apply their own protection, such as firewall rules inside the vm itself.