Infrastructure orchestration has evolved over the last 2 decades, starting from manually cabled servers with a few MB of memory to large scale public cloud offerings and server-less infrastructure. It is no doubt today that the biggest winners in this evolution are the public clouds with AWS now being valued upwards of 100 billion dollars. This evolution has led to a flurry of software development to build higher level abstractions, cloud-agnostic stacks, faster productivity tools, larger scale orchestration systems and more importantly community driven solutions.

One thing that has been difficult to achieve for the industry has been standardization. There are often multiple ways and alternatives to solve the same problem. For example, in 2016, there were at-least half a dozen different orchestration systems at play; Mesos from Mesosphere, Kubernetes from Google, ECS from Amazon, Docker Swarm for Docker, Nomad from Hashicorp. It is the same story with Build and Deploy systems, Network Segmentation Solutions, Application Security Middleware, Public Cloud offerings and the worst of all, load-balancers and databases. A lot of this has been fueled by fierce competition between the public cloud providers for marketshare through open-source projects. After all, Google learnt something from their mistake of not open-sourcing Bigtable, Map-Reduce and Chubby.

Let us be honest, all those blogs you read about migrating to Kubernetes in less than 3 months, they cannot be serious! It is easy to create a Kubernetes cluster and deploy a simple application into it and never worry about it. It is incredibly difficult if you want to achieve a highly available, secure, up-to-date, multi-tenant, vulnerability-free Kubernetes with Service Mesh.

Once you have a Kubernetes cluster, your job is not done! You now have to worry about how would build, deploy and test pipelines for your applications. To be honest, every organization solves these problems in different ways. But the truth is, they solve the same problem, over and over again. Making the right decisions, with the right expertise will help you decrease the number of iterations on your infrastructure, and this is exactly what Pitstop aspires to be.

Our Mission

At Pitstop, we are a group of open source contributors and maintainers in the cloud native ecosystem, striving to simplify and reduce complexity, eventually helping small, medium or large organizations make the right decisions while building their cloud native infrastructure. We aspire to be a customer centric, cloud services company offering products and services that enable large scale organizations achieve quality, security and reliability with velocity. We hope to be the extended infrastructure/platform/devops team for organizations, so they can focus on building core business and not infrastructure.

In addition to our consulting and design services, we develop products ranging from a multi-cloud managed Kubernetes service to cost visualization and monitoring tools. We also provide tools and products to support Provisioning, Federated Application Management Platform, Federated Identity Management, Distributed L3/L4/L7 Load Balancing, Network Segmentation and Monitoring solutions with focus on public, private and hybrid environments.

Our team of industry experts(most of whom are open source maintainers) offer service engagements that would help customers navigate untested territory with infrastructure provisioning, networking, migrations, maintenance, microservice onboarding, database management and security through a process of meticulous engineering, solution architecture and project management.

Core Values

• Customer First: We work on anything that adds value to an existing or a prospective customer. This might include building products or offer services.
• Engineering Savvy: We are engineers at heart. We build solutions that we are proud of and that the industry would look up to.
• Affordable: Our services and products have to be the most affordable with high quality across the globe. We will do this by running lean and highly efficient organizations.
• Proud: We take immense pride in what we do on a daily basis. No work is beneath our respect, every task anyone does is highly valued and appreciated.

Product Roadmap

Pitstop Kubernetes Distribution For Public and Private Clouds

While Kubernetes can streamline container and application delivery, it can be complex to deploy and operate itself. In fact, a top barrier to Kubernetes adoption in enterprise is the lack of experience and expertise. Let PKD and tooling address the Day 1 and Day 2 Kubernetes operations burden with a complete, easy-to-upgrade Kubernetes runtime with pre-integrated and validated components for your team, so you can focus on what really matters, shipping applications. This enables you to run the same K8s across data center, public cloud and edge for a consistent, secure experience for all development teams. It also can be used with your existing tools and workflows to give developers secure, self-serve access to conformant Kubernetes clusters in your private and public data centers.

Almost all managed Kubernetes solutions in the industry deploy Kubernetes clusters help decrease the management costs. While this is extremely helpful, it unfortunately does not solve most problems for users. For example, users on GKE still have to pay Tigera to enable Federated Network Policies, users on AWS, still have to pay Cilium and Tigera to enable Security Groups integration for Pods, these clusters do not come with Istio/Consul/SPIFFE/SPIRE etc that are fast becoming the de-facto standard for deploying and securing micro services.

On top of managing and supporting your Kubernetes deployments through our centralized control plane and having someone 24/7 to help you if needed, the managed distro ships with the best in the world production grade software, with some critical Pitstop patches and extensions, to support the following.:

• Single click Kubernetes Cluster Creation and Management in most providers(GCE, Azure, Openstack, Bare Metals and AWS supported for now)
• Federated L3/L4 Ingress and Egress Network Policies across multiple Kubernetes clusters on multiple clouds.
• Envoy based Ingress controller for North-South Application Based Load Balancing
• Vulnerability scanning, image admission controls, containers’ system call monitoring and alerting.
• Automated autoscaling and cost management for your clusters deployed of public clouds
• Managed service for audit logs and container logs
• Highly optimized prometheus and grafana deployment for your metrics
• Istio/Consul based service mesh
• Jaeger distributed tracing enabled for all applications deployed on Kubernetes natively
• KMS/Vault integration for your Kubernetes Secrets
• GitOps based flows to manage your Kubernetes application manifests, that also includes encrypted secrets at rest on disk
• Support for federated identities between LDAP accounts, AWS IAM, Google Authentication, OpenID and many more. If we don’t have something ready, we will build it for you.
• Automated and orchestrated operating system patches and Kubernetes upgrades
• SPIFFE and SPIRE for mutual TLS between your applications inside the cluster
• Support for Cloud based Network Policy Rules(Security Groups in AWS, Compute Engine firewall rules, Compute Engine firewall rules in GCE, Endpoint Rules in Azure and Security Groups in Openstack) hybrid environments that run applications on Kubernetes and also native VMs.
• Automated and orchestrated operating system patches and Kubernetes upgrades.
• Automated certificate expiration monitoring and renewal in Kubernetes clusters.
• Workflow to manage Resource Quota requests and manage cluster capacity based on approved requests.

We help manage this complexity and pain from engineering teams. Most organizations spend a significant amount of money, effort and time solving these problems above, that have mostly been solved at multiple places in the industry. We would take care of this complexity so you can focus on using these primitives to offer the best value to applications serving your business.

Pitstop FlowSec

The network security that Calico provides in EKS is great, however it is primarily focused on the EKS cluster itself. A common use-case for EKS, however, is to build a kubernetes cluster that can interact with other Amazon hosted resources, such as EC2 and RDS instances. The native protection for those resources is the VPC’s Security Group filtering.

The problem with this, however, is that, by default, VPC Security Groups can only be applied to EC2 instances. Therefore, if you wanted to allow some subset of your pods access to an RDS instance, for example, you would have to allow that access from all of your EKS worker nodes, thereby allowing ALL your EKS pods access to that RDS instance. That’s probably not what you want. Luckily, one of the capabilities that Pitstop enables is the integration of the VPC Security Group mechanism and Kubernetes/Calico network policy.

In addition to AWS, Pitstop FlowSec also supports Azure, GCE and Openstack allowing users and administrators to create Network Policies that segment traffic from pods in Kubernetes and VMs in GCE/Azure/AWS/Cloud transparently.

Pitstop AppStack

If you are an organization trying to move to microservices and Kubernetes at the same time, you know the pain. Microservices are easy to build but difficult to manage. Pitstop AppStack makes it less painful empowering you with a single click button to:

• Create an application of a particular stack(that an administrator defines). Examples of stack include python, golang, etc. Once you create an application on AppStack, it would automatically:
• Provision Jenkins CI/CD pipelines for you
• Setup default monitoring and alerting based on prometheus for metrics and opsgenie/pagerduty for alerting through alert manager
• Integrate with jenkins for CI/CD pipelines for each application, opsgenie/pagerduty,
• Create container repositories in a provider of your choice
• Create development, staging and production environments for your applications
• Setup argo based deployment pipelines that help you roll out to canary with traffic shaping
• Canary regression analysis and automated rollbacks
• Application Health Modeling and automated alerts for slac, pagerduty and opsgenie

AppStack allows platform administrators to define “stacks” which represent canonical templates of applications represented as standard golang templates or Helm charts.

AppStack is by far our most popular offering from Pitstop, something that we are very proud of that helped organizations with application teams majority to come up to speed on our Platform as a Service product in a matter of hours to deliver high value.

Terraform GitOps based CI/CD

Terraform has fast become an industry standard of defining declarative infrastructure across multiple cloud platforms, both public and private. But many organizations struggle getting it right just because there are so many ways of doing the same thing, and not all will provide you a clean and manageable workflow for a large team and high scale infrastructure.

Pitstop provides a CI/CD based solution on top of Jenkins and other pipelines, that lets operators offload the process of applying and making changes to a CI system thereby preventing manual errors and lack of auditability.

• Runs plans on pull requests in git
• Runs apply when the PR merges
• Monitors drift between the terraform state and the actual state and can alert slack/email/pagerduty/opsgenie thereby having a complete closed loop monitoring and management of your critical infrastructure state
• Audits changes made to your infrastructure

Pitstop CI as a Service

Is your engineering organization having to deal with scaling limitations of various CI systems? Let us help. With our CI as a Service solution for Jenkins, we provide a single click button for Jenkins deployment for any application owner that can scale workers on demand when there are active jobs. This means, you get, horizontally scaling infinite capacity.

Our CIaaS has helped large organizations like eBay grow into supporting 100,000 builds a day. We also support deploying other modern CIs for web applictaions like Buildkite through CIaaS.

Our team can also help move your CI workloads to public clouds to optimize costs as CIs are mostly bursty resources that can take advantage of the Pay by Use model of public clouds.

Services

How can we still be of help if none of the products above fit your environment?

Our team comprises experts, most of who are opensource contributors for projects like Docker, CoreDNS, Kubernetes, Kops, AWS K8s CNI plugins, Consul, Terraform, Openstack, etc. We take pride in helping our customers succeed by managing infrastructure complexity so they can focus on driving business growth on top of a scalable, highly available, fault tolerant and managed infrastructure. We build products that make this possible.

We understand customers who cannot take advantage of our products because of various reasons ranging from being in the initial phases of their business to being too large to change anything, we respect their position and still help them providing our expertise in various systems that can help with functions that include, but not limited to the following:

• Declarative Infrastructure Management
• Public Cloud Evaluation and Migrations
• Public Cost Optimization and Show Backs
• Network Security and vulnerability scanning
• Configuration management of large infrastructure
• Cloud Native support for the Kubernetes ecosystem
• Application CI/CD on Jenkins, Buildkite etc
• Deploying and scaling Openstack
• Elasticsearch, prometheus deployment for visibility

We’re confident our impact on your engineering organization will be immediate and profound. We’re a tight-knit DevOps strike team with a passion for solving the kinds of infrastructure problems that slow your developers down. In-house DevOps-on-demand is the new answer to the fluctuating business needs of a modern tech organization, and gives you the flexibility to scale your DevOps department as needed. Your customers are waiting for you to push the envelope in what you’re already great at; leave the infrastructure troubles to us.

Introducing Pitstop Cloud was originally published in Pitstop Cloud on Medium, where people are continuing the conversation by highlighting and responding to this story.