Product Specifications
Kraud is a Platform as a Service (PaaS) with a broad set of features and compatibility layers.
Product Readyness
| Feature | SLA | Redundancy | Security Barriers | Readyness |
|---|---|---|---|---|
| compute | ||||
| Managed Docker | no | N+2 in 1 Zone | microvm+vpc | Usable |
| Managed Kubernetes | no | N+2 1 Zone | microvm+vpc | Experimental |
| Managed Apps | no | N+2 1 Zone | microvm+vpc | Experimental |
| Confidential Compute | no | 1 Node (1) | AMD SEV-SNP | Experimental |
| network | ||||
| Managed Ingress | no | 2N+1 in 2 Zones | isolated machine | Usable |
| Authenticated Ingress | no | 2N+1 in 2 Zones | isolated machine | Experimental |
| Direct Ingress | no | 1 Rack (2) | exposed (3) | Experimental |
| storage | ||||
| Ephemeral NVME | no | 0 (4) | ephemeral encryption | Usable |
| Block Volumes | no | 3N in 1 Zone | isolated machine | Usable |
| GFS Volumes | no | 3N in 1 Zone | isolated machine | Experimental |
| RED Volumes | no | 2N in 1 Zone (5) | isolated machine | Experimental |
| LV Volumes | no | 2N on 1 Host (6) | LVM | Usable |
- Hardware with AMD SEV-SNP is has very limited availability and pods will likely not be rescheduled on failure.
- Direct Ingresses are bound to a single zone. Applications using raw internet facing IP addresses must engineer their own load balancing strategy.
- Direct exposure to the internet without a fronting kraud ingress requires a carefully setup firewall inside the vm
- Local node storage is very fast but ephemeral. It is cleared on container shutdown, restart, reschedule, etc.
- Redundancy reduced volumes are intended for archival and large data pools. Loss is unlikely due to double-replication, but customer are adviced to only store data that can be reconstructed by other means.
- LV are local nvmes on a vm host that are not replicated outside of the chassis, intended for legacy applications. Customers are advised to build their own backup plan.
Datacenter, Physical Security
Kraud is physically located in the colo datacenter FSN1-DC2 Hetzner Online GmbH
- Technische und organisatorische Maßnahmen nach Art. 32 DS-GVO
- ISO27001 Certification
- 100% renewable energy cert
Access is documented with logs of name, timestamp and surveillance camera snapshot.
Security Architecture
Tenant resources are isolated from other tenants using microvms Additionally customers with extremly sensitive data may choose to protect against CPU bugs with confidential vms
Traffic within customer VPC networks is encrypted with wireguard even within the same physical rack, to protect against sideband attacks and network intrusion.
All external traffic arriving at a managed ingress is load balanced, authentication and filtered before entering a VPC. Customers who prefer raw ingresses will have to apply their own protection, such as firewall rules inside the vm itself.
Data at rest is separated from customer vms and accessible only to the hypervisor.