Skip to content

Product Specifications

Kraud is a Platform as a Service (PaaS) with a broad set of features and compatibility layers.

Product Readyness

Feature SLA Redundancy Security Barriers Readyness
Managed Docker no N+2 in 1 Zone microvm+vpc Usable
Managed Kubernetes no N+2 1 Zone microvm+vpc Experimental
Managed Apps no N+2 1 Zone microvm+vpc Experimental
Confidential Compute no 1 Node (1) AMD SEV-SNP Experimental
Managed Ingress no 2N+1 in 2 Zones isolated machine Usable
Authenticated Ingress no 2N+1 in 2 Zones isolated machine Experimental
Direct Ingress no 1 Rack (2) exposed (3) Experimental
Ephemeral NVME no 0 (4) ephemeral encryption Usable
Block Volumes no 3N in 1 Zone isolated machine Usable
GFS Volumes no 3N in 1 Zone isolated machine Experimental
RED Volumes no 2N in 1 Zone (5) isolated machine Experimental
LV Volumes no 2N on 1 Host (6) LVM Usable
  1. Hardware with AMD SEV-SNP is has very limited availability and pods will likely not be rescheduled on failure.
  2. Direct Ingresses are bound to a single zone. Applications using raw internet facing IP addresses must engineer their own load balancing strategy.
  3. Direct exposure to the internet without a fronting kraud ingress requires a carefully setup firewall inside the vm
  4. Local node storage is very fast but ephemeral. It is cleared on container shutdown, restart, reschedule, etc.
  5. Redundancy reduced volumes are intended for archival and large data pools. Loss is unlikely due to double-replication, but customer are adviced to only store data that can be reconstructed by other means.
  6. LV are local nvmes on a vm host that are not replicated outside of the chassis, intended for legacy applications. Customers are advised to build their own backup plan.

Datacenter, Physical Security

Kraud is physically located in the colo datacenter FSN1-DC2 Hetzner Online GmbH

Access is documented with logs of name, timestamp and surveillance camera snapshot.

Security Architecture

Tenant resources are isolated from other tenants using microvms Additionally customers with extremly sensitive data may choose to protect against CPU bugs with confidential vms

Traffic within customer VPC networks is encrypted with wireguard even within the same physical rack, to protect against sideband attacks and network intrusion.

All external traffic arriving at a managed ingress is load balanced, authentication and filtered before entering a VPC. Customers who prefer raw ingresses will have to apply their own protection, such as firewall rules inside the vm itself.

Data at rest is separated from customer vms and accessible only to the hypervisor.