Purdue Container Platform

Service Description

The Purdue Container Platform provides a robust and secure environment for hosting general-purpose containerized applications and systems. This service is designed for university departments and teams seeking a centrally managed, highly available platform for their non-research-related workloads. It leverages industry-standard technologies to offer a modern, flexible, and scalable container orchestration solution, allowing you to focus on application development and deployment while we manage the underlying infrastructure.

Key Features

  • High Availability: The platform is built on a multi-node cluster architecture to ensure your applications are resilient and consistently available.
  • Centralized Management: A user-friendly management interface (Rancher) simplifies the deployment and oversight of your containerized workloads.
  • Enterprise-Grade Security: The environment is hardened according to Center for Internet Security (CIS) benchmarks, featuring robust security controls, encrypted secrets, and Role-Based Access Control (RBAC) integrated with university single sign-on (SSO).
  • Integrated Image Registry: A private image registry (Harbor) is provided, complete with vulnerability scanning (Trivy) and integration with university Active Directory (BoilerAD) for secure image management.
  • Flexible Networking and Storage: The service includes an ingress controller for traffic management, load balancing via F5, and persistent storage through a high-performance NFS solution (Qumulo).
  • Separate Environments: Both non-production and production environments are available to support your development and deployment lifecycle.

Technical Specifications

  • Orchestration: RKE2 (Rancher Kubernetes Engine 2)
  • Cluster Configuration:
    • Management Cluster: A 3-node cluster for centralized management services.
    • Workload Cluster: A multi-node cluster with 5 worker nodes for application workloads.
  • Networking: Calico CNI, Traefik ingress controller, F5 load balancing.
  • Storage: Qumulo via NFS for persistent volumes.
  • Image Registry: Harbor with Trivy vulnerability scanning.
  • Authentication: University SSO (BoilerAD) for access to Rancher and Harbor.
  • Security:
    • Hardened according to CIS Kubernetes Benchmarks.
    • Secrets encryption at rest.
    • Pod Security Standards (Baseline/Restricted) enforced.
    • Role-Based Access Control (RBAC) to enforce the principle of least privilege.

Pricing and Cost Model

We are committed to providing this service in a transparent and sustainable manner. Our initial approach is based on a "showback" model to help departments understand the value of the resources they consume.

  • Environment Showback: The container platform represents a significant investment in university infrastructure. For planning and awareness purposes, customers should note that they are utilizing a shared environment valued at $6,700.
  • Usage Tracking: To facilitate the showback process, we will collect university account numbers for all projects using the service. This is solely for tracking and reporting purposes; no direct charges will be applied to these accounts under the current model.
  • Annual Review: The showback/chargeback approach will be re-evaluated each year. Should any changes that involve direct billing be deemed necessary, these changes will be communicated at least one full fiscal year in advance to allow for departmental budgeting.
  • Resource-Intensive Projects: If a project's resource requirements exceed the capacity of a single worker node (4 vCPU / 8 GiB memory), the sponsoring department will be asked to fund the addition of one or more worker nodes. The estimated cost for an additional node is approximately $332 (cost may vary depending on the final configuration).

Service Policies

  • Inactive Projects: To ensure efficient use of resources, projects that remain inactive for a period of 12 consecutive months will be removed from the environment.
  • Intended Use: This service is intended for general containerized workloads. It is not designed or supported for research-related computing or data processing workloads.
  • Communications regarding maintenance notices, etc. are provided via the k8susers@lists.purdue.edu mailing list.

How to request

Submit a ticket to it@purdue.edu and either mention the ‘containerization service’ or that the ticket should be assigned to “RHTS".